January 18, 2023 | 15 minutes
In this EXTRA! episode, Rob and Stan discuss FedRAMP, starting with "What is it?"
About the Guests
Rob Aragao is chief security strategist at CyberRes, a Micro Focus line of business. He has more than 20 years of information security experience, with an emphasis on cyber risk best practices, threat intelligence, security monitoring and regulatory compliance initiatives. He has worked in multiple fields, from financial services to telecommunications. Prior to joining CyberRes, he was vice president of security strategy & innovation for ReliaQuest and served as the chief security strategist for HPE.
Connect with Rob Aragao on LinkedIn
Stan Wisseman leads the Security Strategist team for Micro Focus’ CyberRes in North America. He has more than 30 years of information security experience and has built security into products, systems, software, and enterprises. Prior to joining Micro Focus in 2014, Wisseman served as chief information security officer for Fannie Mae, with responsibilities for information security and business resiliency across the organization.
Reimagining Cyber Extra! | FedRAMP, Software Supply Chain Guidance & API Security - New Year Updates!| Rob Aragao and Stan Wisseman
Well, everyone, welcome back for another episode of Reimagining Cyber Extra. I'm Rob Aragao. I'm joined by my co-host as usual, Stan Wisseman.
There's always so much going on in cyber right, Stan, and so one of the things that I know you just kind of got a little bit in depth on I want to share, is some of the things that's going on in the federal sector.
So why don't we kind of kick off and share, you know, what is it that we're seeing coming into the new year.
If you recall in our episode with Louis Lerman a few weeks back, and when we were talking about healthcare security and the HITRUST certification process, he referenced FedRAMP several times.
And he was making a comparison between you have to do in FedRAMP and the purpose of FedRAMP versus HITRUST. But I, I don't think we've covered FedRAMP in any of our previous episodes so our listeners may not be familiar with that program, and I just wanted to spend a little time, you know, ensuring that folks understand what FedRAMP is and as well as, you know, some of the updates that are going on.
It's an 11-year-old program and it's called the Federal Risk and Authorization Management Program, and it's run out of GSA the General Services Administration here in the United States. And this whole purpose is to provide a standardized government-wide approach to security assessment, authorization, and continuing monitoring of cloud products and services used by the federal government agencies.
If you recall, you know, when the cloud computing got it introduced the whole question was how the federal government, and these agencies was going to safely and securely right. Use cloud? And this was the answer. FedRAMP was the answer. And as an example, as far as our, our own services, you know, Fortify On Demand is a managed service that is FedRAMP authorized, right? So that's an example of one of those that we have, and it's been long standing. We've had that authorization for a number of years, and I think with any metric, the FedRAMP program has been viewed as successful for accelerating the adoption of secure Cloud solutions for used by public sector agencies.
So, it has been a successful program. And as a way of sort of reflecting that success, they've sort of codified it now. So, one of the things that's happened as an update, the FY23 National Defense Authorization Act, or NDAA was signed by President Biden in December that codified into law the FedRAMP program.
And, and you know, this is a big milestone for, for FedRAMP and it's, it's been updated as well. I mean, one of the things. They tried to address in this, this new law that's part of NDAA is some of the, the challenges with the authorization process, which can be a little onerous. Right. And it can take a while to get through and definitely you know, sometimes you feel like you're doing duplicative work, so, some of the things they're trying to do is like reduce the duplication of security assessments and other obstacles that the agencies are facing when they're adopting cloud products and have this presumption of adequacy for cloud technologies that have already received FedRAMP certification.
So that again, should reduce some of the re redundancy of some of the work that's been done.
So really kind of simplifying some of these aspects and streamlining the process, right, because that has been a bit of a thorn in the side of many different vendor organizations in the past
And one of the other changes was to, hey, look at this secure, centralized repository and reuse existing assessments before you conduct your own.
I mean, again, sort of like a direction of, don't do it again if you don't have to. And GSA has been directed to automate some of the process. And again, some of these security assessments and continuous monitoring have been pretty manually intensive. And so, automating that process and hopefully streamlining it and making it a little more efficient on, on both sides of the equation from the agency perspective as well as the vendor trying to get through the process is, is big.
And finally, the other thing I always want to point out is they, they did establish this Federal Secure Cloud Advisory Committee and the point of that is to have a dialogue between GSA, which runs the program, the different agencies, you know, cybersecurity and procurement officials and industry, you know, to have this kind of coordination to help, you know, again, continue to mature the program. It's been in place for 11 years. It's already had a lot of maturity, but you know, let's continue that dialogue of all the different players involved to make sure that it's going to become more efficient. I think all these are very positive developments for the FedRAMP program.
It's good to hear. Now, outta curiosity, was there any update as it related to SBOM (Software Bill of Materials)? Cause there was a lot of back and forth.
There was, you know, if you recall, there was a lot of back and forth. They were trying to actually include SBOM language. So again, that's, you know, Software Bill of Materials. You know, we've, we've actually, you know, covered that in a number of our episodes as far as around the whole secure software, supply chain risk management, you know, we've had John Pescatore back then with SolarWinds.
They were going to codify in law in this NDAA vendors were going to have to provide an SBOM in order to have agencies consume their products. And a number of tech trade groups like the Alliance for Digital Innovation really were urging the House and Senate Armed Services to remove that language cuz they, they said, didn't feel we were ready yet.
Mm-hmm. You know that the government and industry needed more time to work out the solutions and improve their supply chain security and, ensure that they can actually generate and consume these SBOMs. So, I, I think, you know they listened and they, they removed that language, but I don't think that's really stopped the executive branch from continuing to execute on Biden's executive order.
Yeah. Yeah, that makes sense. I mean, again, that's been a bit of a conflict, if you will, back and forth, kind of both sides discussing, you know, the approach to SBOMs and whether or not there's known to be validity behind it, but then there's a question of is there too much of a cyber kind of opening the kimono?
And, you know, we're, we're giving too much information out so that that conversation will continue. But I do believe at some point in time it will be, probably, probably likely part of this as well. Right.
Yeah, and you know, NIST is continuing and as well as Dr. Allan Freidman over at CISA
They're continuing to work on the SBOM stuff and guidance.
So I think, you know, the crystal ball is if you are a software supplier to the government, you have to be prepared. In the future to be able to provide this kind of inventory of components that make up your software build. Right. You know, it's, it's important as we've heard from Steve and others, to be able to react quickly to zero days, to be able to understand what your software consists of to be able to mitigate open source security issues and risks. Right. So, you know, you, you're, you're going to have to be prepared to be able to share this information with those that are, are asking for it.
Yeah. And I think, you know, we, we've seen some of that direct obviously impacting us and how we develop and deliver our own software but also on the customer kind of engagement side of things where if we turn the clock way back to Log4J , and, you know, looking at one of our, I would say more mature customers in the, in the area of software security you know, within a very short period of time, I believe it was maybe three business days, they were able to identify exactly which of their assets truly were impacted, that they need to focus their attention on, and in essence, remove all that.
And then on the flip side, you look at other organizations that have to go through months and they're still in some cases, kind of digging out of where does it actually impact us? Right? So, I think that kind of piece of that, you know, visibility and understanding of where these things are and what they're baked into is of good value.
But it's also how are you actually leveraging it appropriately so that when the time comes to be able to action it, you do have all the information ready to go as opposed to the whole kind of, now let's go and scramble and.
Right. And you know, I think as Steve Springett pointed out to us though, SBOMs in and of itself aren't really the golden ticket as it were, you know, that's as a part of that whole puzzle Exactly. Of software, supply chain, risk management, and, you know, a, a yet another industry set of guidance on how to do it right was released you know, Microsoft got into this game, you know, a long time ago.
They have their own issues as far as supply chain, and they've been managing those risks for a long time. And so, they have now shared their approach and it's called the Secure Supply Chain Consumption Framework. And you ready for another acronym? Here we go. S2C2F doesn't exactly roll off the tongue.
I'm not sure how they, you know how they say that, but I'm a little shocked at that cuz didn't they look to see that Google called it SLSA (salsa) and made it pretty easy?!.
Stan Exactly. So, you know, it's interesting you mentioned SLSA cuz you know, that's what we talked to Dan Lorenc about, right? Right.
But you know, the, the difference is, S2C2F is more of a consumption focused framework as opposed to the development or producer. Mm. Okay. So, you can, you can look at SLSA as being complimentary to what Microsoft has done I see. Or what they've released here. You know, so the, the idea is, is designed to protect developers from accidentally consuming malicious and compromise packages and helping them, you know, mitigate supply chain risk by decreasing consumption-based attack surfaces.
So, you know, this has gotten some endorsements, you know, the OpenSSF has, you know, adopted it. Their Supply Chain Integrity Working Group has focused on using this. And so, you know, Microsoft is doing what they can to help the industry and help organizations mitigate their consumption of potentially risky components.
And that's great that they've released it and gotten OpenSSF support. So, kudos to them.
Excellent. I mean it just seems like everything that we're talking about in cyber always somehow turns itself back around to the software aspect of it, right? The software supply chain is the common theme that we heard through last year.
It's not going to slow down this year. It's going to continue to be kind of this evolution of people becoming more mature in their program and how they're able to support that, understands more of the risks outbound as well. Right. I think there's kind of this cascading effect of, it's not just the vendors you're working with, it's also who other vendors actually working with as other third parties.
And aspects of, you know, software elements they may be pulling into their own end result they bring to market. So, you know, we'll, we'll probably pick up on this as we go forward. I think it's a key topic as it relates to some of the common themes that we're going to be likely to see in 2023. God knows we changed so quickly so that, that, that can easily go away next month.
Right. But it just seems like that's going to continue to accelerate itself.
Well, you mentioned, you know, prevalence of software, software is everywhere and yeah. And, you're bringing up the different components and interactions. I mean, APIs (application programming interface) is another aspect of this that is rising as an attack surface and attack vectors that are hitting applications. And the organizations out there are just now becoming aware of this new attack surface that they have to control. But that's due partly because the way in which development has evolved and you have all these microservices and all these different interactions now between software components, which is great, but that's also an opportunity for bad actors to use that as a vector into your application. Mm-hmm. Or back in, back in databases and systems. And so, I think that's another aspect that we have to possibly focus on. So, I would love to get a speaker from Microsoft on, you know, the C2. S2C2FF, I got to get this right man. Got to come up with a, wouldn't you
It'd be good to have somebody on that or, and or on something on API security. I, I think it'd be a good topic.
API security, to your point though, I mean, it has just exploded right on, on what we're seeing out there with organizations just trying to kind of get their arm dropped around it. It was something they weren't paying attention to.
Now that being said, it’s not going to slow down by any means. Right. Because one of the things, and again, this is something we'll carry on to maybe a following extra episode or even bringing a guest for is, one of the things that we're seeing more and more desire for is the kind of open platform, ecosystem-based model.
Meaning that, there's all this great technology as we know out there, but we need to also kind of take into account how can these things be more open from an integration perspective. So, for example, a managed security service provider. It's not necessarily where they're taking kind of their packaged offerings to market any longer.
They have to be very much customized in how they're going to support the organizational needs of their customers. And to do so, they have to work with different technology investments they already have in place, the customer already has in place. Take those on but be able to integrate them effectively to be able to kind of paint that overarching picture as to delivering the service with the proper viewpoints as what's going on, what do we have to actually deal with today? And again, that, that was a key theme actually, of something that I was involved with recently that I think is, going to explode this upcoming year. There's much more need for, you know, that type of visibility. So, Stan, great discussion again as always, I love the federal perspective, but it always comes back and also to the overarching view of what we're seeing out there and that software supply chain aspect is just not slowing down. So, good discussion onto the next Extra episode onto the next guest. And if anyone is listening who would like to join us in the conversation on API security or more information about what Microsoft is doing as an example, please reach out to us.
Let us know. We'd love to talk to you about that.
That would be great. Thanks Rob.
Virginia Wright discusses the concept of cyber-informed engineering.
Louis Lerman discusses the wide array of cyber threats facing the medical field.