FedRAMP ATO: Executive Summary
With the rise of cloud technology, both the U.S. government and private companies are trending toward SaaS (Software as a Service) based solutions in highly regulated markets. This offers numerous advantages to vendors supporting the SaaS including flexibility, patch abilities, faster time to market, support across multiple government agencies and development for a single agency can benefit all agencies.
Oteemo is an expert at building a bridge between the Government and SaaS solutions. As commercial companies begin to transition to SaaS solutions, it is imperative to properly establish development frameworks that work both in the commercial sector and with government regulations.
Oteemo recently collaborated with one such company that was looking to achieve FedRAMP ATO with an existing SaaS product. Oteemo assessed their needs and executed on a robust plan to properly FedRAmp their SaaS product.
A global leader in SaaS-based data analytics platforms (Client) approached Oteemo in search of a US Based partner to achieve FedRAMP ATO (Authorization to Operate) with their existing SaaS product. This means their SaaS product will become eligible for sale to the U.S. Government.
The client lost significant internal knowledge during staff turnover and their internal US SRE team was very limited. Their existing US team didn’t have the resources or institutional knowledge to build and support a SaaS platform that was in the process of getting FedRAMP certified, therefore the client needed a US Based Partner.
Oteemo was uniquely positioned to assist because of their deep experience in FedRamp cyber engineering and secure cyber solutions within the Department of Defense’s Platform One and cATO (Continuous Authorization to Operate) platforms. Additionally, our expertise and experience in commercial products offered proof points to help the client navigate DoD compliance with their commercial product. Because of federal rules and regulations, the Swedish based Client needed a US-based partner organization with knowledge of how to properly FedRAMP in an efficient and maintainable process. Oteemo’s institutional knowledge and experience made us the perfect partner.
FedRAMPing is a process by which companies are able to develop software for sale to the U.S. government. Software must meet high security and compliance standards to be eligible. Because of these security standards, the US FedRAMP is a complex logistical certification process in both initial application and ongoing certification. It can be difficult to ascertain and prioritize which documents are vital to gain certification.
The client had been searching for a partner and required an immediate solution. They were unable to sell their existing product to the U.S. Government and wanted to transition their product to both a federal and commercial SaaS product. The client had an existing development process for commercial customers and required reimagined processes to work seamlessly with their commercial and federal sides.
It was pivotal that a process is developed for both their commercial and federal products so that the new FedRAMP process didn’t impede the existing commercial development.
The client had experience pushing updates to their product on the commercial side but required assistance developing a process to apply their updates to the federal side while maintaining compliance with FedRAMP standards. Their existing process included a CI/CD (Continuous Integration / Continuous Delivery) framework in which the CD needed to be updated.
Additionally, FedRAMP is an ATO (Authorization to Operate) program, which means that any significant updates to the software must go through additional certification. Because of this, the client required ongoing support to ensure continued FedRAMP certification.
How We Helped Achieve FedRAMP Without Slowing Innovation
Oteemo began by laying out a substantive plan of execution and educating the client on requirements for FedRAMP SaaS projects. One of the most important aspects was to ensure the processes didn’t slow down innovation. The client needed education on how the process works and where the most common pitfalls were. Oteemo established the following objectives:
- Core Engineering Support: Consulting / Outsourcing Function: Oteemo developed and discussed a plan with the client to not only teach and discuss the new, FedRAMPed development processes, but also ensure the development and deployment within the client’s organization. This included:
- Tenant Automation Process: The platform was built on multi-tenant architecture principles. Oteemo identified the key steps in provisioning a FedRAMP SaaS tenant through a manual onboarding access and, updated and streamlined this manual process. Oteemo then developed and expanded this new process into a secure, automated process for scalability and sustainability.
- Site Reliability Engineering: Oteemo developed a set of principles and practices for developing scalable and highly reliable software. This included:
- Synchronizing and refining the log and metrics collection sets, configuring dashboards to their corresponding backend metrics stores in their Government Saas platform.
- Ensuring proper alerting and monitoring capabilities respond to incidents.
- Refining playbooks to compensate for environmental differences and caveats between commercial and Gov SaaS platforms.
- Implemented a solution to rebalance tenants across ALBs to accommodate the limits imposed by AWS in GovCloud (US). FedRamp products must exist within AWS GovCloud because of its built-in controls and compliance.
- Implementing container signing to guarantee image lineage in their Government SaaS platform.
- How to establish and maintain accreditation with the U.S. Government (FedRAMP ATO): Oteemo was uniquely positioned to help because of their experience and deep understanding of the FedRAMPing process and the requirements for an organization to gain certification. Once the new FedRAMPed process was established, Oteemo discussed how they will secure U.S. government accreditation and they will maintain it with future development. This included:
- Establishing significant change criteria.
Significant Change: The U.S. Government has specific requirements for what constitutes a ‘significant change’ within the platform. Criteria to qualify a change/feature as significant is defined by comparing the proposed architecture against the confines of the current Fedramp SSP and Data flow that were documented at the beginning of the approval process
- Refreshing FedRamp Environment: In conjunction with the client’s global SRE team, Oteemo played a crucial role in building the critical infrastructure of their FedRAMP environment.
- Collaboration with FedRAMP product owner/s, release management, and compliance in shaping the guidance for significant change review. This ensured onboarding FedRAMP compliance when migrating changes to their FedRAMPed SaaS.
- Release management’s primary responsibility is labelling Feature Flags. Feature flags can toggle developments on and off to be aligned to individual tenants.
- DoD IL4 compliance Container Hardening: Oteemo custom-tailored an implementation plan and approach to achieve DoD IL4 compliance. DoD IL4 compliance is an additional level of security and scrutiny beyond a traditional FedRAMP and requires additional resources and development.
Since there isn’t a central authority or document that lists container hardening requirements for DoD IL4, Oteemo created container-specific STIG checks for their OS base images. This enabled the client to scan and remediate compliance items in the base images creating a more secure baseline that is compliant with DoD IL4 requirements.
Additional Challenges: During the project, the team overcame obstacles including client staff turnover, constrained client resources, and a complete cultural shift in the development and deployment of the client’s SaaS offering. It took a deep commitment and grit to overcome these obstacles and continue to deliver on our scope of work.
Over the course of six months, Oteemo was able to develop and deploy new FedRAMPed development processes for the client. This prepared the client to complete the FedRAMPing process which will enable them to sell their SaaS product to the U.S. government. At the same time, Oteemo ensured their new Federal project was developed in harmony with the existing product.
Additionally, Oteemo reduced technical debt, implemented a punch list for STIG (Security Technical Information Guide) requirements, and provided guidance for the compliance process.
The client is now on their FedRAMP path with an anticipated completion date of Summer 2022. Oteemo continues to collaborate with the client and assist on their FedRAMP journey.