Earlier this year, ServiceNow, received a FedRAMP Authority to Operate (ATO) for their service automation government cloud. With that lengthy certification process behind them, Bob Osborn, ServiceNow’s Federal Chief Technology Officer, and Mike Rohde, ServiceNow’s Federal Chief Information Security Officer, sat down to discuss what they learned both about the certification process and about the FedRAMP program as a whole.
Perhaps their most illuminating insight from their journey was that certification is not the end of the FedRAMP process. FedRAMP should be thought of as a journey, not a destination. Likening it to Dorothy’s first visit to the Emerald City, the ServiceNow team found they still had many tasks ahead of them once they achieved the ATO. Like many companies, ServiceNow built a completely new environment to develop their FedRAMP-compliant solution. Once that solution was approved, the team had to initiate the process of migrating their existing customers, who were on a FISMA-compliant system, to the new FedRAMP platform. Luckily, the company routinely moves customers for back-up processes so the move of live systems over to the new FedRAMP environment was a relatively easy task.
Adding to this, another ongoing challenge with the FedRAMP approval process is making sure subsequent releases of the software are also up to the program’s accreditation standards. In ServiceNow’s case, their development teams release new versions of software every eight months. Because of this rate of change, the ServiceNow team is currently working with the FedRAMP Program Management office (PMO) to develop a more efficient process that will speed up approval and subsequent releases and updates.
ServiceNow took the longer path to FedRAMP certification by going through the Joint Authorization Board (JAB) to receive their ATO. They chose this route over an agency sponsor because they felt in the end customers across government would be more comfortable knowing they were certified by a group that did not have “skin in the game.” While both the JAB and agency review panels ultimately look for the same criteria, agencies may apply their own risk authorization levels which may not be compatible with other agencies. Certification through the JAB provides a more holistic look at the technology.
As to the FedRAMP compliance process itself, Bob and Mike highlighted education as a necessary, but often overlooked, part of FedRAMP approval. The FedRAMP JABs are often not experts on every type and version of cloud technologies; it is up to the vendor to educate the evaluators on why certain components are designed the way they are. For example, ServiceNow uses a multi-instance architecture rather than a multi-tenant architecture, which impacts how security controls are put in place. On the surface, it appeared as though their platform was missing some controls, but with additional training of the JABs, the ServiceNow team was able to prove that with their architecture did not require those exact controls to have the same effect. Given the rapid rate of cloud evolution, many of the standards within FedRAMP may be out-of-date for newer technology abilities and features. Due to this, it is incumbent upon the vendor to educate the JABs about these evolutions and their impact on the program.
In the end, FedRAMP is about risk management (as the acronym states) not risk avoidance. FedRAMP is designed to get agencies 95% comfortable with the security of a cloud solution. Agencies have to do the last 5% of the work by implementing certain controls that are not under the purview of the cloud service provider – such as definition of access controls and risk profiles. It is not a fool proof system, but by working together, vendors, the FedRAMP PMO, and federal customers can be confident that they are implementing cloud solutions of the highest security standards.
To hear the complete conversation from Bob and Mike on FedRAMP lessons learned, download their fireside chat here. And for the unique opportunity to learn more about the future of service management from ServiceNow experts, register to attend the 2016 Federal NowForum in Washington, DC on October 26th.
