What's new in the FedRAMP RAR

What's new in the FedRAMP RAR

Yesterday, the FedRAMP PMO dropped a new round of changes that they had warned about since the updated boundary guidance came out in May. These changes included updates to the FedRAMP RAR templates. InfusionPoints was onsite at one of our FedRAMP IaaS customers this week preparing for a FedRAMP High RAR assessment, so we thought we should jump on these updates to see what has changed. Thanks for watching and let us know if you have any questions, or need support  in your FedRAMP journey. We are always ready to help!

Jason: all right I'm Jason Shropshire Daniel: Daniel Borkowski here Jason: and we're from infusionpoints and this morning we were at a client we've been here all week but we're at a customer helping them go through a FedRAMP High RAR assessment or pre assessment rather helping them get prepared for it and lo and behold yesterday the 30th of August the FedRAMP PMO dropped a new documentation dump they've been warning about this for a while I think back since May actually is when they started a you know warning that potentially the documentation was going to be updated right so yeah so yesterday it finally hit and I think everyone got this email it's on the the GSA list but they've updated ten documents and templates added one new document so in this in this video we're going to go through the the FedRAMP High RAR template our readiness assessment report template to see to kind of unpack what has changed so let's bring that up all right so on the left side here we got the old template and on the right side we've got the the new template it's nice and rebranded Daniel: oh it looks great I like it now I like the the fresh look that the PMO is kind of given given the documentation definitely looks looks very modern and polished and clean nice and tight Jason: all right so so dig it into it damn what's the first thing that we noticed Daniel: the first thing that we noticed was under the executive summary there's this big red box that they popped in Jason: oh yeah yeah so nothing's really changed substantially until you get to the executive summary and then there's this brand new box in scary red font and basically what what they're saying here is they really don't accept especially the jab is not going to accept a cloud service provider for FedRAMP Ready designation at the high level if if the service offering leverages external services that aren't at the same authorization impact level that's a general rule and if there is an exception you actually have to go go back and the 3PAO is instructed to have an offline call with the PMO prior to submitting a high RAR for a federal IT decision so they want a heads up and they want to understand the nature of it obviously there's gonna be a lot of scrutiny on that and this really goes back I think back to the guidance that they're released on the FedRAMP boundary I think it was called the FedRAMP boundary guidance back in May is what this all goes back to where they really want to drill into what's in your boundary what's not in your boundary and every type of connection that you got going back and forth they want full transparency and disclosure and I think that we'll see that that's the majority of the changes that we saw on this new template so yeah what's next Daniel: next big changes were actually in the table of contents under Section three looks like they rearranged some things and actually split out some items Jason: yeah so section three looks a lot different everything really looks very similar until you get into section three and honestly it's almost unrecognizable I mean there's a couple of sections that are the same but some sections are gone some things are broken out it's almost more instructive to just sort of dive into the new you know the new areas instead of trying to compare it to the old because so much of it has changed a few things that are just out of order the they've pulled you know data flow diagrams and separation measures toward the end and they were previously sections or subsections and it's really kind of flattened out the structure here too so let's um let's unpack that a little bit more Daniel: okay all right so we'll want to go down to section 3.1 the authorization boundary first where we will see something on the new template that looks pretty familiar from earlier in the very same document Jason: yeah so they've relabeled even an exception three they've relabeled you know CSP system information just a system information I think they're trying to get out of some of the wordiness however they are inserting a new term CSO more and more where previously we saw CSP being used so instead of cloud service provider I guess now it's a cloud service offering you know so I guess the difference between the organization the system yep is what they're what they're talking about there so yeah so drilling into this a little bit here oh oh I didn't we didn't even see this before but they've actually repeated that same red scary warning that was in the executive summary in the authorization boundary we didn't even notice that until we went through it this time but um yeah so the same exact verbage is repeated here in authorization boundaryso okay I guess it's doubly important Daniel: I guess they want to make it very clear Jason: yeah very clear - you know and that to me that just means that if you're a cloud service provider and you're providing services that are being used by other FedRAMP offerings you really ought to look at FedRAMP it's it's it's not going to be optional you're really gonna have to to be able to to play and you know in this area if you're going to be continued to be used or you're you're gonna risk being dropped by service providers that are trying to be compliant so um so yeah so drilling in a little bit more what did we see Dan Daniel: we saw that the leverage FedRAMP authorizations is a specific section now you know Jason: they really changed this relationship to other CSPs they've sort of blown that out and they're calling that authorization boundary I think they kind of expanded actually they broke this out into several different sections in the nude in the nude the new document the authorization boundary I think they're really after just getting a good picture divert good picture diagram good description of all the external connections what's in boundary what's out of boundary that's really what they're going for then there's a section called leverage FedRAMP authorizations so that's sort of the like like we said this breakout the leveraged authorizations they clearly want to understand from the FedRAMP you know package ID number and the name of the system exactly which systems that you're leveraging and which authorizations so one of the things that they added a while ago was the ability in the marketplace to be a leveraged authorization if you're being used by another cloud service provider not just a direct agency so this is a great way for ancillary services that are more likely to be used by a cloud instead of directly by an agency to still get the credit that they need to be you know high up in the marketplace in terms of the number of authorizations that they have right so what do we have now Daniel: excludes the external services external systems and services I mean Jason: what do we think is going on with this one Daniel: I think this is kind of relating back to what you were saying about the boundary guidance they released before they're wanting to be sure that everything is being documented even though this might be gated or geared a little bit more towards things that are might be internal to maybe your corporate environment maybe almost kind of like a ticketing system or or something like that but it is still external to the authorization boundary of the cloud service offering itself Jason: yeah and they also bring up you know external services like Microsoft, Bing Maps, API or integration with DocuSign service things like that so I think that any external services and interconnections they're internal or external you need to be enumerated and discussed here and really the table that they've put in here is so much more than than what they've ever asked as far as information previously they really want to understand you know this is kind of what they had for interconnections before they asked for this internet interconnections service agreement security agreements a Memorandum of Understanding and you know in the in the commercial vernacular those are there's a really federal terms I know that right the commercial organizations don't really understand what that means so think that they really didn't get a lot of good results from this section as far as full disclosure of of what's being used exactly so that's where they're trying to remedy here with external systems and services they really want to drill into the details of the interconnection they there's some you know metadata some it looks like some structured data as an unstructured data that they're after for each service and you can see they've put one two and three so they expect you to continue out this table you know disclosing every every type of connection they want the data types the category the categories of data that's flowing over that connection authorized users authentication methods so however you're authenticating if you're using API keys or whatever they want to understand exactly what's what's being used there Daniel: and the next one is the API is section 3.4 Jason: yeah so API is again is like there's no other section to really compare that to in section 3 of the old document it's it's a new section but they want to understand from a port protocol you know I think this is almost somewhat redundant to the previous section I'm not sure what they really want different here but I think it's again I think it's just more of them trying to describe the importance of full disclosure of every everything that's in use so and the way this reads to me it could almost be like this these things are a little bit more innocuous as far as pulling data in you know using the Bing Maps, API to pull in some mapping data things like that that you're not really pushing any information there's a lot lower risk but then they do bring up stuff like the DocuSign and reprise API which is if that's if that's part of your solution obviously document signing you know it's going to be probably some critical data that's part of the system so that would be you know very critical information that's likely being shared by document of in the DocuSign right so um I don't know that this table I'm not sure really what what is trying to do that external systems and services didn't other than explicitly ask for which API is that you're using so maybe not you know all systems but the API specifically all right so then there's a trusted in our internet connection it's a new section but they sort of hit on it in section 3.4 previously there's a one question you know can the system support a trusted internet connection requirement? well now they have a whole section for this and want to understand you know which I guess they just want a narrative of your ability to support direct connections to a tick in a data center you know if you're at a Colo like Equinox they obviously have several different trusted internet connection available from different agencies exactly all right then data flow diagrams that separation measures these are just sections that were there before but they've been sort of reordering so that's really the line share of the differences in section 3 and that's by far I think the section that had the most change in there are but there were a few other things that we found so let's let's go through those real quick Daniel: in section 4.1 the federal mandates it appears that they have added one more item number six DNSSEC Jason: yeah so this is a you know I don't know 853 red fours been out for a while DNSSEC in the control has been their control the whole time I'm not sure what do you think about this? Daniel: I actually think that kind of like what you're saying before once again it kind of ties into the boundary guidance where a lot of cloud services are utilizing other cloud services to provide certain things for their environment so they're I think they're really trying to stress the sense they're offloading some of those services especially something as critical the security is DNS to you know try to make sure that you know does this service provide DNS security in case of you know man-in-the-middle attacks you know compromises things like that so I think they're really stressing that that needs to be secured Jason: yeah it seems like kind of like an oversight and they said oh gosh you know this is really important especially with the nature of uh you know you know cloud and interconnections or just something that's the one thing that they noticed that really I guess persuaded them to do this revamping of the documentation and and drill in so much on the boundary guidance in the system boundary is because of these uh you know when you're developing cloud native it you have to use the all these external services right so DNSSEC obviously is a lot more important when you're leveraging all kinds of external services and you want to make sure that you're connecting to the what you think you're connecting to Daniel: it's just been an explosion of as a service things that are just out there and they're really trying to get a hold of it kind of get a good grasp of it the next one is in Section 4.2.3 which changes kind of the wording of the eAuth standard to the digital identity levels item number four Jason: yeah so item before so NIST SP 800-63 came out a while back and it looks like that guidance is kind of trickle all the way down into FedRAMP now if any of you were unaware that guidance basically said the old the authentication level which was basically one thing now that's been broken out into three different things the AAL3, IAL3, and FAL3 it's access identity and Federation so each one can be sort of evaluated independently in the way that 800-63 works but FedRAMP actually had the digital identity guidance document that came out I think that they said that they were going to be standardizing across the board based on impact level of the system your facility 9 exactly facility 9 on categorization so if you know if you're going for FedRAMP high you're automatically going to be AAL3, IAL3, and FAL3 yep yeah so that that section is has changed we've also looked at the SSP and we've seen that that set that's an sections been changed as well they're no longer yep the notation it's now digital identity requirements Daniel: correct next item of interest there was in that same for section 4.2.3, AC-17 has been removed item number 12 and they're not quite sure about the reasoning behind that it's just one of those things that we noticed just Jason: interesting yeah I mean it's the others never I'm a reason to it really I'm wonder if they even note that in the end the template changelog, if that got removed or if that's an oversight or we're not really sure what's behind that it's right on yeah it is interesting Daniel: and our next section is section 4.2.6 where we are given explicit guidance on the remediation of low vulnerabilities Jason: yeah so I think before item number 11 item 11 yeah so before this one was not even 4.2.6 yep we're not 2.6 11 item number 11 yeah there's a break in the table it's kind of a yeah reason like there is no item 11 so yeah item 11 previously there is no mention of low vulnerabilities here so they didn't want the 3PAO to evaluate if the provider is is closing low vulnerabilities after 180 days so they've added that looks like it might have been an oversight you know I note quite a while back when looking at the the continuous monitoring guidance and that out from the PMO that um that they never addressed low vulnerabilities that I had as far as you know having a mark on your ATO so it looks like that they have uh they're trying to close that gap other than that that's it I think that's it I think it's that's the the line share of what we saw those are the the major changes well we'll be doing another video just like this on the SSP probably after the holiday but I hope everyone has a great weekend and thank you for watching yep

Let InfusionPoints assist you with your CyberSecurity needs today!

Contact Us