On August 30th, the FedRAMP PMO dropped a new round of changes that they had warned about since the updated boundary guidance came out in May. These changes included updates to the FedRAMP Significant Change Process. In previous videos we described changes to the FedRAMP High RAR template and the FedRAMP High SSP template. In this video, we take a look at the changes to the FedRAMP Significant Change Process. Thanks for watching and let us know if you have any questions, or need support in your FedRAMP journey. We are always ready to help!
Good afternoon my name's Jason Shropshire Daniel Rakowski and we're from InfusionPoints and today we're doing part 3 of a three-part series on the FedRAMP changes that came through recently from the FedRAMP PMO those came through at the end of August August 30th is when the blog post came out I think the templates were up a couple days before yep so we've been going through and doing these videos on on what's changed in the documents so far we've done a video on the the FedRAMP high RAR and the FedRAMP high SSP yep and we assume that you know moderate and low is kind of covered there because you know those templates changed but only for the you know what's relevant for a moderate or a low system so sort of the high-water mark should cover all the changes that were in in those other documents as well yeah sign of the boundary guidance and that was the main thrust of the changes we saw was the the boundary guidance that came out earlier this year in April I think yeah has been fully integrated now into the all the documents and that there's a number of things that the PMO wants to see now in terms of boundary and really in the net remaining documents there's one thing that we've seen that's been a theme and that's the there's a lot more description now and there's sort of a split in the process of doing a FedRAMP significant change so today we're going to go over those differences as well as cover some of the more minor documents have changed so let's get the monitor ones out of the way what were the first ones that we saw yeah the other minor documents that changed was the vulnerability deviation request form which was in a PDF format huh now it is in a spreadsheet format for what the FedRAMP office says is more you know to support automation processes things like that I'm just free minor yeah and then there was the baseline of controls spreadsheets which were separated out beforehand into four separate ones low moderate high or completely different spreadsheets now it's hard to compare any one if hard to compare baselines and say you know well if I want to go from low to high to moderate or moderate to high yeah what's the number of net new controls that I have and do analysis like that it was really difficult to do that before because you kind of had to match all that together on your own to do any kind of analysis but now it's all right there in one sheet so single pane of glass easy that's the change that made a lot of sense was there any anything else oh those were the only ones that really kind of stuck out to me the so then they're there these other three documents that we think are pretty tightly related there's the FedRAMP significant change policies and procedures document which is totally net new yep and then there's a documents related to that which is the old request form correct that's been changed now it's just sort of up data some minor updates but then there's a whole new process document as well around a certain type of change which one is that cloud service offering feature onboarding request yeah which is sort of a split from a significant change process that they document here in this new policy and procedure document so let's flip over to that and we'll start going through yep all right so this is the the new FedRAMP significant change policies and procedures document in version 1.0 so it's net new in the template realm for FedRAMP and really to me you know this document is best explained I think in the is it the executive summary of this one or is that it in the other one oh it's the other one in the okay yeah all right so you know really the idea here is to describe I think in in one of these they say that there was a number of requests and questions and things that have been coming through about how do we how do we do a significant change you know yep what's the process like who's responsible for it who submits and who approves and can you do it during your annual assessments of doing a separate 3PAO this has many assessment of the specific controls that are affected I mean all these kind of questions have come up and I think that this document was their attempt at you know definitively saying you know here's the process here's what you have to do and here's who's responsible and all that they also get very granular with what can what is a significant change in what is a non significant change they go through and they give many examples around that that roles and responsibilities table just kind of splits out who does what yeah later on the document they have some nice flowcharts flow diagrams that kind of make that a little bit clearer but this is where you're talking about where they sort of teach you here how to determine what is significant and what's minor yes so yeah and they even give I believe some different examples different criteria change is likely considered significant or major so a new cloud service offering or feature a new technology like a new OS variant something that's we got a totally net new technology changed something like that tips categorization change security tool changes I mean yeah it's definitely things that are significant so uh and they do enumerate you know special requirements for specific types of significant changes so for a new technology you know I guess that there is there certain things that they want to see and I think that even in the appendix they actually go through for these scenarios and they sort of give you a pre defined list of control impacted for these different types correct so they're being very prescriptive here about you know if it's this type of significant change these control areas are probably impacted if it's this type then maybe it's these other controls and they're sort of detailing that stuff out here being much more prescriptive about this so I think the thing that intrigued us the most when we going through this was this new cloud service offering or feature this seems to be kind of a split and it seems to the FedRAMP technology meant that they kind of see almost two different levels of players and that some have different needs you know let's talk about the elephant in the room so AWS is they have significant changes all the time so rapid changes yeah rapid and their service model it you know is they have all types of different services that are you know I'm not sure if it's a hundred yeah but it's getting there yeah rapidly but and then you know the state of most services and how they filter through different regions and how they filter into gov cloud can vary and we can often gov cloud lags pretty far behind and it's a it's an issue for a lot of our customers that are platforming and gov cloud you know they want to know when those features are going to be becoming available in gov cloud so it's it's a it's very much of I think something that the PMO is trying to get ahold of here is you know do we need to sort of have this this way for clouds that are rapidly changing and rapidly onboarding new features sort of a way for them to do that that probably a little bit different than the significant change process for clouds it that are a bit slower maybe only do a few changes annually and they even define that in here yes I thought yeah I mean they look for eligibility criteria they're kind of going through you know this onboarding process for the new cloud service offering or feature this new thing is really for clouds that require a significant well there's a significant upfront investment it's intended for offerings with a significant number of planned new services or features it's not recommended for cloud service offerings that only or that that add only a few services or features annually so they really say you know this is a fork in the road and you know one goes one way and one goes another way is how we're seeing this and then the previous way is really just the old significant change process but with a bit new I think they've done a better job here of defining procedures and all that so exactly who does what and when yep so they describe that here they described it these are the difference moderate to high these are the different types of changes in the later on I think that they they actually have requirements in the appendices like we were talking about for which controls are impacted right for the spreadsheet depending on which one yes so here I think they're just going through the fields and the forms and then we get to this nice these process flow diagrams and so significant change process there's a nice flow diagram with the different swim lanes for different organizations and then you know how the responsibility flows in between and the different artifacts and things that need to be generated and how the process generally flows so this I think they've done a really nice job here of putting a kind of a stake in the ground about you know here's exactly what's required and how the process work yeah then they go through this narrative about how the process works so the significant change process is described here and then there's a separate flow diagram for the new service or a feature onboarding process almost wish they would have had some sort of a diagram at the beginning of this that that was a decision point like are you gonna go this way or that way which one are you going to use with maybe the criteria that scheduled yeah changes with this issue of annual assessment I don't know if this is due to us or not but I think we were one of the first cloud service providers to do this we coupled some significant changes we weren’t probably the first but we coupled some significant changes with our annual assessment so that we didn't have to do a 3PAO assessment mid-year between the two you know between our initial assessment and in the annual we help the Dell cloud for US Government go through that process so and then this appendix B really good yeah this is when they get into the appendix here's the different control breakout so we were talking about for the different change types so this is where they gave you the actual security controls that they feel are impacted for like a new interconnection or a new technology or a new data center it's a I think it's a really good job of being prescriptive about that kind of stuff and it's defining what they want to see to say appendix yeah that was it thanks B and then that's just a letter for the attestation you know anything else significant here in the I think if that was it this is the template it's a document status yeah okay so what's on let's change over to the significant change form mm-hmm so this is the really just I mean what do we see changed here the only thing that they really did was kind of rebranded they said they perfected fixed some grammar an issues and stuff like that but they also put in a 3PAO kind of validation yeah piece they want to make sure the 3PAO was on board with a significant change and that they evaluated it their contracted for significant change and they have a control matrix at the end where you check in every single one of your controls that are affected and stuff like that but nothing huge so really they've you know this is just a minor edit of the previous process then on the flip side of that there's kind of this whole new process is defined in in this document so right walk us through this document it I think this is another net new cloud service or feature onboarding form and at first it doesn't jump out at you unless you know why this is here from the other document from their processes and procedures document that anyway is a net new thing and it's sort of a different way to go from the significant change all right it looks like it hits on four pieces where it says especially out right here in the executive summary where it says these are the pieces that really make the decision here is that if any of these these criteria aren't true then right you're kind of kicked out of this as being eligible for this this procedure yeah so it's basically saying you know you're your future services or features wont have any impact on the existing and already authorized pieces of your environment so you know no huge change or impact they won't require any new controls specific to that service or feature they won't require any changes to the configuration management or SDLC capabilities or they also won't take any sort of have any or have any effect on the common activities so it is kind of saying it's it changes your environment but it doesn't really have any impact it like an impact list change yeah I mean they want to obviously here they're looking for a well architected cloud that you don't have to go through and reauthorize all these listing services yes just like an Amazon you know you don't want to reauthorize the I am service just because they added another new service right and then they also want you know integration between those existing services know I am roles being used to control access between different services that might be new they want to make sure that the new services can leverage those existing services right so really this document it almost struck me when I first saw it like it's a mini SSP mm-hmm yes it's like they want to know all the integrations the tie-ins I think it's most illustrative to probably just look at the table of contents they really want to see that the new services are features they have tie-ins to the categorization the description you know so a lot of this looks sort of like the SSP mm-hmm and then they want to know you know all the touch points for the integration into the existing system as you'll see if there's any changes or anything there they want later on I think they look for validation that the CM and s DLC is all intact right they want a validation of that validation and continuous monitoring and so they're looking to make sure the system that was previously authorized is still you know still functioning not being impacted in any way just like the criteria the four criteria that they stated right they're really looking for validation of those criterias being met I think yeah definitely like you said a mini SSP because they even reference SSP attachments in some of the appendices in this document so yeah it's very much kind of a kind of a snapshot of an SSP or something like it yeah I imagine that you would submit like when you're ready for the next iteration of your SSP you know for new services to go live you have to edit the SSP to add the new services in and submit this as well is how I'm seeing this work out I haven't seen that them explicitly state that right right and make the most sense and even though this does look like a lot of work more upfront seemingly it is kind of like the this is the fast-track option here where you know they they kind of go through and they get everything validated to get everything scanned by a 3PAO you know and it's it is the quick option right yeah it's a quick option but it also looks like it's also it probably the most costly because just by the nature of the types of clouds that are going to be leveraging this right it's going to be a high rate of churn this type of process might be executed two or three times annually as a bad new services or you know I'm imagine you might want to put a few services in at a time mm-hmm but then roll those out quarterly so I could see how we could you know work with a cloud provider to on a strategy of how to how to use this process and to to do rapid agile updates to the SSP and their entire package and roll continuously with that yeah all right so I mean I really think that that that really covers it again a lot of changes this time from the the PMO I think it's a lot of positive changes the boundary guidance I think it's been extremely helpful we've been helping a couple cloud providers through their assessments in having the late-breaking RAR being updated it caused us a bit of a scramble because we were you know two weeks away from it's really not from our our assessment yeah when the the templates dropped so we sort of realigned real quick and jumped on it but it's it's a I think it's been very helpful to have the boundary guidance and to be able to have the conversations of you know hey here's explicitly what they're looking for when it comes to packets in or leave the boundary in any way shape or form right so I mean that's been a very positive thing I think this change process is going to be you know very helpful to cloud providers as well I think that it's it's helpful I know we had a lot of questions about it you know when we were taking different changes through the annual assessment but I think that this helps to really resolve a lot of those questions and I'm sure there we fresh new rounds of questions oh of course so this is the first video we've done with our any video rigs so leave us a comment tell us how you like it but thank you for watching thank you