Cloud Service Provider (CSP) Esri last week earned a rare distinction – its Managed Cloud Services became the first system to transition from a CSP supplied package to an agency FedRAMP authorization. Esri, based in Redlands, California, initially earned its Authority to Operate (ATO) at the moderate level from the U.S. Census Bureau.
Esri provides geographic information systems, so its Platform-as-a-Service (Paas) and Software-as-a-Service (SaaS) offering has broad appeal – Esri Managed Cloud Services allows for rapid sharing of geospatial content.
FedRAMP411.com caught up with Esri’s Third Party Assessment Organization (3PAO), Veris Group, to learn more about this unique transition.
Nathan Johnson, a Veris Group manager who worked with Esri, provided insight about the cloud service provider’s (CSP) transition, the significance of the move, and what Esri’s shift from a CSP Supplied Package to an Agency FedRAMP Authorization may mean for other CSPs – and for FedRAMP.
FedRAMP411: Esri’s EMCS system is the first cloud offering to successfully transition from a FedRAMP CSP Supplied compliant package to a FedRAMP agency authorized cloud solution. What is the practical significance of the transition?
Johnson: The Esri EMCS CSP supplied-to-Agency transition demonstrates that cloud service providers have a viable option if they have been unable to secure an agency sponsor. The U.S. Census Bureau granted the EMCS system an agency authority to operate without requiring additional testing or verification from Veris Group, which served as the 3PAO for the CSP-supplied assessment. Veris Group conducted the 3PAO security assessment of the EMCS offering against the NIST SP 800-53 Revision 4 security control baseline.
In addition to the security control assessment based on NIST SP 800-53 Revision 4, this assessment also included a comprehensive penetration test of the software code base; a detailed source code review; and vulnerability scans of operating systems, databases, and web applications. The depth and breadth of testing and documentation allowed the U.S. Census Bureau to accept the test results as documented.
FedRAMP411: Does the path that Esri took to achieve FedRAMP authorization represent a viable alternative for other cloud service providers (CSPs), and if so, why?
Johnson: The EMCS transition demonstrates the CSP-supplied path as a viable path that can be used by CSPs that do not yet have a sponsor. With meticulous testing and reporting, the CSP-supplied path now shows that an agency can leverage the assessment package without being involved in all testing activities. It is critical that CSPs be well prepared with extensive documentation, current patching and vulnerability scans, and a mature security program for this route to be successful.
CSP-supplied packages go through a FedRAMP review process to ensure completeness, and can still be denied a compliant designation if the system is deemed insecure or the package is deemed incomplete. With adequate preparation by the CSP and thorough testing by the 3PAO, the chances of the CSP-supplied option succeeding increase dramatically.
FedRAMP411: One criticism of FedRAMP is that the Joint Authorization Board (JAB) path that so many CSPs take has become a bottleneck – too many CSPs want to take that route, and FedRAMP is unable to accommodate everyone in a timely manner. Did Esri save time by taking this path for its ATO versus more popular routes like the JAB? And if it saved time with this new path, how much money do you think Esri saved?
Johnson: The CSP-supplied process certainly allows for expedited testing timeframes once the cloud service provider reaches the assessment phase of the FedRAMP process. It is important to note that preparation time for Esri to configure compliant security solutions and document these configurations was not affected by the assessment route selected. The EMCS system was documented as compliant through the CSP-supplied route in January 2015, and received full agency ATO in August 2015.
FedRAMP411: Are there other advantages to the path Esri took? For instance, did it allow them to provide cloud services and demonstrate that its EMCS system was secure while working toward full FedRAMP authorization?
Johnson: Not necessarily. The process for developing and assessing EMCS was the same no matter which path Esri selected. The only difference is that Esri served as its own Authorizing Official (AO) since an agency AO was not identified. This in turn allowed them to be deemed FedRAMP compliant once the FedRAMP Program Management Office conducted its required completeness check.