NIST and FedRAMP A Brief Overview

With the rise in cybercrime, security is important for anyone who uses technology and none more so than the US Federal Government. It is vital that all government agencies have sufficient security in place to protect sensitive information, and NIST standards are the perfect way to ensure this.

What is NIST

NIST stands for the National Institute of Standards and Technology, and they have set forward a number of standards that relate to computer security which are mandatory for any data systems used within the US Federal Government. There are many documents under the NIST SP 800 regulation concerned with data security and risk mitigation, but the specific one used within the US Government Agencies is NIST 800-53 Revision 4, The Security and Privacy Controls for Federal Information Systems and Organizations.

How Are These NIST Standards Applied?

FISMA (The Federal Information Security Management Act of 2002 and Federal Information Security Modernization Act of 2014) is a directive that ensures federal agencies are utilizing the correct security controls and approaching their data protection with risk-based procedures. In order for the US Federal Government Agencies to be fully compliant with FISMA standards, all departments must comply with the NIST 800-53 regulations, and have to confirm that they are compliant each year by reporting to the Office of Management and Budget (OMB).

If any other businesses are managing data systems for government departments or agencies, then they too have to comply with the same standards.

How Does FedRAMP Help?

FedRAMP (Federal Risk and Authorization Management Program) standardizes the approach that government agencies use to comply with the NIST framework but is specific to those departments using cloud services or Cloud Service Providers (CSP). It provides data integrity and helps with continuous monitoring for any cloud services or products, and also helps to reduce the unnecessary duplication of any security functions thereby maximizing efficiency.

There are two types of FedRAMP authorizations and these are the Provisional Authority to Operate (P-ATO) through the Joint Authorization Board (JAB) and an Agency Authority to Operate (ATO). Since 2016, a P-ATO can be authorized by the JAB so that a department has fast provisional approval to use a designated cloud service, which speeds up the process and results in a smoother rollout of compliance.

FedRAMP uses both NIST 800-53 to control data security, but also 800-37 which aims to mitigate risk, and agencies that use cloud services as well as CSPs are covered by their remit. CSPs often provide IaaS, PaaS or SaaS products which have to be assessed differently from the government’s internal systems, but these still have to comply with NIST 800-53 and the FISMA regulations.

For example, a CSP may provide SaaS using a single data center to host their software, with all users accessing it using passwords and other security measures. The CSP is governed by the FedRAMP standards in that they must ensure the data center is secure and they comply with the controls necessary for this. Any agency using this platform will have to comply with FedRAMP by ensuring their password controls are adequate enough to keep their data secure.

Before a CSP can work with any US Government Agencies, they must be assessed by an independent organization to ensure that the controls they will be implementing are sufficient and if not, what changes need to be made to make sure they are. This assessment, however, can be reused by other agencies which substantially reduces costs and time.

GRC Automation

Government Risk and Compliance (GRC) automation can make it easier for federal departments to stay compliant with NIST and FedRAMP, particularly if the programs come pre-loaded with user-friendly tools precisely for these standards. Some are specifically designed to allow you to use your existing work from other regulations in order to get FedRAMP compliant, including simplified lists which point out where your systems have gaps with suggestions on how to overcome them. Ideally, the automation tools should be designed to help with evidence gathering for audits, as this can be quite protracted depending on the size of the IT systems, which is where automation helps by gathering all the documentation into a single location.

Overview

NIST suggests controls for data integrity, security and risk mitigation for any technology that the US Federal Government uses. FedRAMP employs those standards and guidelines for the situations where the government uses cloud services. All US Federal Agencies have to abide by NIST and FedRAMP if they use the cloud, as do any companies that provide systems to them.

Although it is not a legal requirement for any other firms to comply with these standards, it is recommended for any that use cloud computing as the standards are such that a company’s data and infrastructure will be more secure and efficient if complying with it.