The Federal Risk and Authorization Management Program (FedRAMP) standardizes how U.S. federal government agencies apply the Federal Information Security Management Act (FISMA) to cloud computing services.
Through its “do once, use many times” security assessment framework, agencies can streamline the processes for the assessment, authorization, and monitoring for cloud service providers (CSPs) and their cloud service offerings (CSOs).
Federal agencies and the FedRAMP Joint Authorization Board (JAB) work in tandem with third-party assessment organizations (3PAOs) to assess the security environments of CSPs. Many documents support such assessments. One of the most important is the System Security Plan (SSP).
A FedRAMP SSP helps agencies and 3PAOs to understand which baseline security controls a CSP has implemented. As part of the security package, the SSP influences the authorization process and determines how quickly the CSP will achieve FedRAMP certification and get added to the FedRAMP marketplace.
Many cloud vendors at first feel overwhelmed by the challenges of creating a detailed and complete SSP. The recommendations in this guide will provide the confidence necessary to get started.
What Is a FedRAMP System Security Plan?
The SSP details the security controls a CSP has implemented as part of its FedRAMP certification journey.
When creating the SSP, the CSP must use the standard template on www.fedramp.gov, regardless of whether the vendor is pursuing agency authorization (ATO) or JAB authorization (P-ATO). The template also provides guidance to help CSPs describe their controls implementation in the SSP.
CSPs must use an independent 3PAO to test their CSO and demonstrate that their controls are effective. The 3PAO will also test that the controls are implemented as documented in the SSP. The assessor then creates a Security Assessment Report (SAR) that helps agencies to use FedRAMP security assessment packages.
Why Is the SSP Important to a FedRAMP Assessment?
The SSP is a foundational document for FedRAMP assessments because it provides value to both 3PAOs and CSPs.
Why the SSP Is Important for 3PAOs
3PAOs (and non-accredited independent assessors) use the SSP to develop a Security Assessment Plan (SAP). The SAP is the starting point for 3PAOs performing the security assessment of the cloud system environment. It documents the methodology they will employ to test the CSP’s control implementation.
To create an effective SAP and develop a streamlined test approach, a detailed and complete SSP is essential. The SSP must explain how the CSP has implemented each control in the CSP’s cloud environment. The plan must also define the boundaries for shared controls between the CSP and the CSO’s end user.
Why the SSP Is Important for CSPs
The SSP is also crucial for CSPs undergoing a FedRAMP assessment because it helps them demonstrate their credibility to potential federal customers. The SSP evaluation process is extensive.
FedRAMP evaluation includes an evaluation of the CSP’s incident response and remediation plan. By completing these steps, CSPs can demonstrate that their CSOs are compliant with FedRAMPs stringent security requirements.
Further, the report includes details of the CSP’s security controls so previously unknown vulnerabilities in the CSO can be brought to light. If left unchecked, those vulnerabilities would leave the CSP (and ultimately end-users) at risk of cyberattacks and data breaches. So by preparing the SSP, CSPs can reveal and fix these vulnerabilities before they have a chance to cause damage.
What Does the SSP Include?
The SSP report allows FedRAMP review teams to understand the architecture of the CSO under review. It also explains the system’s boundaries and supporting infrastructure. Additionally, it describes all these elements of a CSO:
- Security authorization boundary
- How the implementation addresses each control that’s required under FedRAMP
- Roles and responsibilities of CSP personnel
- Expected behavior of individuals with system access
Also, for each security control implemented by the CSP, the SSP shows:
- Description of implemented controls
- Implementation dates and times
- How the solution addresses various controls
- The responsibilities of CSPs and federal agencies pertaining to SSP implementation
Common Challenges in Creating the SSP
Since the SSP is such a crucial success factor for FedRAMP authorization, CSPs are under pressure to get it right. The document requires a considerable commitment of both time and resources to complete.
To ease the burden on CSPs, the FedRAMP PMO (Program Management Office) has developed SSP templates for low, moderate, and high FedRAMP levels. Nonetheless, these baseline templates run more than 300 pages and require detailed descriptions for each control. The templates also include other critical areas to address.
Such comprehensive and long documents overwhelm many CSPs, especially if they:
- Are unfamiliar with FedRAMP
- Struggle to coordinate inputs from multiple domain experts
- Have not documented these controls in the past
In short, a lot of effort is required to write an SSP.
Tips to Create an Effective SSP
CSPs can overcome the challenges highlighted above and write effective SSPs by following these best practices.
Create a Detailed Network Architecture Diagram
A detailed network architecture diagram illuminates the various system components and boundaries, and how all these elements should support each other. If a boundary is unclear or a component is overlooked, the CSP may miss implementing the appropriate security controls.
The CSP may also miss patching the system, which may result in vulnerabilities. These gaps increase the risk of a cyberattack and lower the CSP’s chances of passing the FedRAMP assessment.
To avoid such adverse consequences, the network architecture diagram must include details about the CSO’s security-related components, web, application, and database servers, as well as internal and external interfaces. It must also define the system boundary by scanning all the hosts on the network.
Complete the System Inventory
The CSP must include the components listed in the network architecture diagram in the inventory. The inventory should consist of both hardware and software components and match the diagram. A system inventory that doesn’t match the network architecture diagram will introduce errors in the SSP.
Create an SSP Team
To document the SSP, bring aboard team members with deep technical knowledge of cloud security controls, network architecture, and data flows. Experienced technical writers are also required to assure the SSP is precise and detailed.
It’s also beneficial to have team members who have a good understanding of FedRAMP and SSP requirements. CSPs that lack such resources should bring in external advisers or consultants with FedRAMP and SSP expertise to complete the process as soon as possible.
Leverage a Requirements Traceability Matrix (RTM) to Define Controls Implementation
An RTM helps CSPs to describe the controls implemented across the CSO accurately. With its simple X-axis/Y-axis model, CSPs can identify each FedRAMP control and map its components to depict how the CSP has implemented the necessary controls across the cloud system.
Additionally, the RTM decreases the risk of incomplete control descriptions in the SSP and helps developers to understand the FedRAMP requirements for their CSO.
Define the Parties Responsible for the Implementation
The implementation of a particular control may not be the sole responsibility of the CSP because many cloud systems follow a “shared responsibility model” for security. It’s crucial to identify the CSP’s responsibility for the requirement and distinguish that duty from the responsibilities of other organizations (for example, implementing access control to authenticate users).
Define Data Flows
The overall goal of the FedRAMP program is to protect government information systems and assure that government agencies only use secure CSOs that can provide this protection. To this end, CSPs must document how their CSO will securely receive, process, and store government data.
The easiest way to inform this documentation in the SSP is first to define data flows with a data flow diagram. The diagram must accurately describe how users access government data and how it may leave the system’s boundary. It must also match the descriptions of control implementation in the SSP.
Leverage Automation with Software
As SSP requires a lot of time-consuming copy/pasting and editing. An automated compliance management software can help save time and reduce the need for repetitive manual work.
With such tools, CSPs can automatically manage their security controls and processes, documenting them for the SSP. Some platforms also automate multiple cloud assessment activities related to planning, reporting, and execution.
Simplify FedRAMP Compliance with ZenComply
As the regulatory regime evolves, it’s not easy to achieve compliance with FedRAMP or other regulations. Manual spreadsheet-based processes add complexity and create inefficiencies in a compliance management program.
ZenComply provides a centralized platform that shortens audit cycles, simplifies risk assessments and streamlines compliance management. With ZenGRC, organizations pursuing compliance can automate evidence collection, facilitate continuous monitoring, and get a holistic view of their risk posture.
Do you want to know how ZenComply can simplify your company’s audit and compliance management processes? Schedule a demo to see for yourself.