Cisco Defense Orchestrator’s Path to FedRAMP Authorization
As an industry leader in security and building trusted systems, Cisco continues to make progress on our commitment to deliver SaaS solutions to the government. Today I’d like to shed some light on the status and processes involved for one of these solutions as it moves forward on achieving FedRAMP® Authorization—Cisco Defense Orchestrator (CDO).
Cisco Defense Orchestrator is a cloud-based multi-device manager that enables consistent policy implementation across highly distributed environments. CDO’s centralized management allows rapid deployment of policy changes when minutes matter, and reusing policy objects across all firewall form factors reduces both administrative effort and organizational risk. Security teams that adopt CDO spend less time deploying and maintaining their firewalls and more time optimizing policies and managing threats.
Moving forward on FedRAMP
Cisco has made great progress in moving a variety of our solutions through the FedRAMP process. Created to encourage use of cloud computing, FedRAMP serves to streamline the exchange of information and accelerate services within federal agencies, plus improve their interaction with the public. In 2023, the FedRAMP Authorization Act was passed, codifying the FedRAMP program as the authoritative standardized approach to security assessment and authorization for cloud products and offerings.
With FedRAMP, federal agencies are provided a uniform framework for evaluating, approving, and continually overseeing cloud services. This includes procedures for security assessments, authorizations, and ongoing surveillance of cloud services utilized by federal entities. In addition, you should understand the following:
- The US General Services Administration (GSA) administers FedRAMP in collaboration with the Department of Homeland Security (DHS) and the Department of Defense (DoD).
- The compliance parameters set by FedRAMP are in alignment with the National Institute of Standards and Technology (NIST) Special Publication 800-53, which outlines technical standards for cloud computing.
- FedRAMP also promotes adherence to the Federal Information Security Management Act (FISMA) and the OMB Circular A-130 by federal agencies.
The FedRAMP process and Cisco Defense Orchestrator
FedRAMP Authorization can be pursued with an individual agency sponsor or multi-agency authorization. For CDO, Cisco is working with the United States National Institute of Health (NIH) as the individual agency sponsor.
Preparation Phase
The initial phase with individual agency sponsorship is known as the Preparation Phase. It consists of two key steps if no sponsor agency is available: conducting a Readiness Assessment and engaging in Pre-Authorization activities.
Preparation Step 1: Readiness Assessment
The Readiness Assessment is an optional stage aimed at helping cloud offerings obtain a sponsor. Readiness assessments are performed by certified Third-Party Assessment Organizations (3PAOs), who produce a Readiness Assessment Report (RAR) that shows potential sponsoring agencies that the solution is ready to meet the federal government’s security standards.
Preparation Step 2: Pre-Authorization
If sponsoring agency is available, you can go straight to Pre-Authorization, skipping the Readiness Assessment stage. Cisco has completed Pre-Authorization with NIH. This means the CDO team has implemented the requisite technical and procedural requirements and compiled the security documentation necessary for the authorization process.
During this phase, Cisco accomplished the following tasks:
- Demonstrated that the CDO for government solution is fully built and functional.
- Completed a CSP Information Form.
- Determined the security categorization of the data that will be placed within the system utilizing the FIPS 199 categorization template along with the appropriate guidance of FIPS 199 and NIST Special Publication 800-60 Volume 2 Revision 1 to correctly categorize the CDO system based on the types of information processed, stored, and transmitted.
After the successful completion of a kickoff meeting with NIH on February 22, 2024, CDO achieved the In Process status on the FedRAMP Marketplace.
Authorization Phase
The next step is the Authorization Phase, which has two parts: Full Security Assessment and Agency Authorization Process.
Authorization Step 1: Full Security Assessment
The first authorization step is a full security assessment by a certified 3PAO. Before this assessment, Cisco completed the Site Security Plan (SSP) and reviewed it with NIH. Schellman Compliance, LLC is the 3PAO responsible for the Security Assessment Plan (SAP) for CDO and the Security Assessment Report (SAR) that will document test findings and suggestions relevant to attaining FedRAMP Authorization.
Once the 3PAO assessment is finished, Cisco develops a Plan of Action and Milestones (POA&M) outlining the plan to address the test findings in the SAR.
Authorization Step 2: Agency Authorization Process
The second authorization step is Agency Authorization, in which NIH will review the complete authorization package and may hold a SAR debrief with the FedRAMP Project Management Office. NIH will also implement, test, and document the customer-responsible controls during this phase. Then the NIH will perform a risk analysis and issue an Approval to Operate (ATO) when identified risks are sufficiently addressed.
At this point, CDO will have agency authorization to operate but still require review by the FedRAMP PMO to be included in the FedRAMP Marketplace. When finished, the FedRAMP PMO will update the Marketplace listing to reflect FedRAMP Authorized Status and the date of Authorization. The security package will then be made available to agency information security personnel, who can issue subsequent ATOs, by completing the FedRAMP Package Access Request Form.
Post-Authorization
Once CDO receives Authorization status in the FedRAMP Marketplace, it will enter a continuous monitoring phase to ensure ongoing protection of the system and government data. In this phase, Cisco submits regular security documentation—including vulnerability scans, refreshed Plans of Action and Milestones (POA&M), yearly security evaluations, reports on incidents, and requests for significant changes—to each of their agency clients. Cisco will make use of the FedRAMP secure repository to upload continuous monitoring content for all agencies that deploy CDO to review.
Leveraging the Cisco Federal Ops Stack
Cisco is leveraging the Cisco Federal Operational Security Stack (Fed Ops Stack) as a core component of the CDO FedRAMP process to speed future FedRAMP development and assessments. The Cisco Fed Ops Stack is a centralized set of tools and services that cover approximately 50% of FedRAMP Moderate requirements. Once Fed Ops Stack has received authorization to operate, along with CDO, Cisco can leverage these shared services in future SaaS products to make audits and continuous monitoring simpler for Cisco and federal agencies.
Pushing forward on CDO FedRAMP compliance
Our team at Cisco is fully committed to getting CDO FedRAMP compliant, so federal agencies can simplify their management of distributed security policies. We are pleased to have completed the Agency Review with our agency sponsor NIH and achieved In Process status. Watch for more updates as we get closer to full FedRAMP Authorization for CDO, the Cisco Fed Ops Stack, and additional SaaS offers from Cisco.
For additional details on the FedRAMP process, I encourage you to read Will Ash’s blog on mapping the FedRAMP journey for Cisco Umbrella for Government.
Learn more about Cisco Defense Orchestrator and FedRAMP
Share: