Accelerating SaaS solution delivery to the U.S. Federal Government


Synopsis: The Cisco Federal Operational Security Stack streamlines the process for Cisco SaaS solutions on their FedRAMP journey, bringing a myriad of benefits. It revolutionizes product engineering team workflows by offering a centralized and integrated suite of tools and services that cover a significant number of FedRAMP security requirements. This efficiency decreases engineering team effort, enabling them to focus on enriching solution features and accelerating their FedRAMP readiness.


In 2023, the FedRAMP Authorization Act was passed, codifying FedRAMP into law as the authoritative and standardized approach to security assessment and authorization of cloud products and offerings for Government agencies to use. The US General Services Administration (GSA) administers FedRAMP in collaboration with the Department of Homeland Security (DHS) and Department of Defense (DoD) and is based off NIST 800-53.

FedRAMP requires that cloud providers serving federal agencies implement a set of security controls, thoroughly document them, and then undergo an audit by a third-party assessment organization (3PAO) to ensure compliance. Upon completing the assessment, a series of reviews will then occur by a sponsoring agency, as well as the FedRAMP PMO itself to achieve an Authority to Operate (ATO) status; otherwise known as “FedRAMP Authorized”. For more on the FedRAMP authorization process – please refer to here. Upon achieving a FedRAMP Authority to Operate (ATO), a CSP is recognized as meeting the necessary security control requirements to handle federal data. Consequently, Cisco SaaS solutions must obtain FedRAMP ATO to conduct business with U.S. Federal agencies.

Meeting rigorous U.S. Federal Government standards

For Cisco to continue to serve the U.S. Federal market with technology innovation, meeting these rigorous government standards is not just beneficial, it’s imperative. The U.S. Federal Government mandates cloud solutions inlcuding Cisco’s own Cloud solutions obtain authorizations for FedRAMP and the Department of Defense (DoD) Impact Levels (IL) to sustain business relations with U.S. federal agencies. Yet, this obligation comes with its own set of stringent requirements, such as:

  1. Limitations on supporting tooling usage.
  2. Specific encryption methods around using FIPS 140-2/3 and hardening requirements.
  3. Monthly continuous monitoring reporting guidelines to validate vulnerabilities are being reviewed and remediated in a timely manner.

This can significantly extend the time required to obtain product ATOs and IL authorizations — at times exceeding 24 months to establish FedRAMP Moderate, as an example. As such, to streamline these efforts, Cisco has developed a centralized solution – Cisco’s Federal Operational Security Stack or Fed Ops Stack.

A centralized solution to meet federal requirements

For CSPs with multiple SaaS offerings, like Cisco, it is crucial to devise a strategy that provides these solutions with the agility to be competitive, while upholding the elevated standards of application and operational security measures required by the U.S. Federal Government. To that end, we’ve developed and implemented the Federal Operational Security Stack or Fed Ops Stack — a centralized solution to increase efficiency while minimizing the time and effort required by engineering teams to deploy our solutions and services in this highly-regulated market.

The Fed Ops Stack comprises of a comprehensive suite of tools and services, hosted on a central infrastructure and designed to deliver foundational capabilities that encompass approximately 50% of FedRAMP Moderate requirements. Cisco’s SaaS solutions can subscribe to Ops Stack’s package, and leverage these centralized tools and services, by integrating with the Fed Ops Stack to streamline the time and effort needed to attain a FedRAMP ATO. The diagram below illustrates its services and key features:

Accelerating FedRAMP Authority to Operate

Through the Fed Ops Stack, SaaS solution teams inherit identity and access management, security monitoring, testing, application sustainment, and customer support by authorized personnel. Without it, meeting these requirements for each solution individually can be quite costly, time-consuming, and unsustainable.

The Fed Ops Stack accelerates the readiness process for SaaS solutions on their FedRAMP journey, by offering an integrated and centralized suite of tools and services, bring efficiency by reducing engineering team effort, enabling them to focus on enriching solution features and accelerating their FedRAMP readiness.

Over the next couple of months, Cisco is in process to receive agency authorization (NIH) for Fed Ops Stack, followed by a full authorization post-FedRAMP Program Management Office review. This will allow for Cisco’s offerings to utilize a driver-subscriber model by leveraging Fed Ops Stack’s authorization and centralized tooling and processes, streamlining go-to-market plans.

The journey map below shows how Cisco provides a clear process and resources for delivering SaaS solutions into regulated federal environments. It displays the steps for solution teams to move their SaaS solutions throughout the process, while partnering with U.S. federal agencies and teams along the way.

What’s on the horizon

In the future, Cisco plans to encompass higher levels of federal and DoD accreditations into the Fed Ops Stack, including FedRAMP High and DoD Impact Level. We also intend to broaden our reach to other countries’ public sectors by constructing specialized stacks tailored to meet specific compliance requirements, such as the Australian Infosec Registered Assessors Program (IRAP) and Germany’s BSI Cloud Computing Compliance Criteria Catalogue (C5), among others. We aspire to establish a unified deployment pipeline capable of integrating both commercial and federal environments, streamlining operations, and continuing to deliver efficiencies for Cisco’s SaaS solutions.

Reach out to our team at ciscoccf@cisco.com with questions and to learn more.


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Security on social!

Cisco Security Social Channels

Instagram
Facebook
Twitter
LinkedIn

Share:





Source link