Understanding FedRAMP^®: How Cisco Umbrella is Getting Authorization

Cisco Umbrella just received In-Process status on its FedRAMP^® journey. But when we hear “FedRAMP” do we really understand what it means? Is it just another mysterious techno-term or do we truly appreciate what it takes for a product like Cisco Umbrella to go through and complete the rigorous process required to receive the designation? Genuinely understanding FedRAMP is critical. So, let’s pull back the curtain on this process so everyone can better understand its inner-workings, specifically — what it means for Cisco Umbrella to be In-Process and what needs to be done for FedRAMP completion.

Understanding FedRAMP

The U.S. Federal Government has been promoting adoption of cloud computing since the Cloud First Policy[1] was first developed in 2011 by the Office of Management and Budget (OMB). The driver behind Cloud was to make information sharing easier, more accessible, and faster across federal agencies. Plus, to enhance communication between the federal government and its citizens.

The Federal Risk and Authorization Management Program (FedRAMP) is a program housed in the U.S. General Services Administration (GSA). It was developed to standardize the assessment, authorization, and monitoring of cloud computing services used by federal agencies. Vendors, Cloud Service Providers (CSPs), and federal agencies seeking to adopt cloud computing services need to be familiar with FedRAMP.

In a nutshell, understanding FedRAMP means realizing it standardizes the security risk assessment, authorization, and regular monitoring of cloud computing services used by federal agencies. It’s important to note that:

• GSA houses the FedRAMP program and operates it in conjunction with the Department of Homeland Security (DHS) and the Department of Defense (DoD).
• FedRAMP compliance guidelines go hand-in-hand with technical guidelines for cloud computing presented by the National Institute for Standardization and Technology (NIST) Special Publication 800-53.
• FedRAMP also supports federal agency compliance with FISMA and OMB Circular A-130.

Cisco Umbrella and the FedRAMP process

Here is where Cisco comes in. As a vendor, we would like to get one or more of our products listed on the FedRAMP Marketplace. In this case, Cisco Umbrella. Currently, Cisco has FedRAMP Authorized, Ready, and In Process solutions (see the list) and we’re continually adding to it.

There are two possible ways to authorize a Cloud Service Offering through FedRAMP. The first is through an Individual Agency and the second through the Joint Authorization Board (JAB). For Cisco Umbrella, we chose the individual Agency route, which requires an Agency Sponsor. The United States Federal Communications Commission (FCC) chose to be ours. The alternate way is the JAB Provisional Authorization. JAB is the primary governing body for FedRAMP and includes the Department of Defense (DoD), Department of Homeland Security (DHS), and General Services Administration (GSA).

Understanding FedRAMP: Preparation phase

The first phase when using an Agency Sponsor approach is the Preparation phase. It consists of two steps:  Readiness Assessment and Pre-Authorization.

Preparation Step 1: Readiness Assessment

For this step, Cisco chose a FedRAMP Ready designation, which is optional for the Agency Authorization process, but highly recommended. But it requires working with an accredited Third-Party Assessment Organization (3PAO) to complete a Readiness Assessment Report (RAR) of its service offering. This documents Cisco’s capability to meet federal security requirements.   

Preparation Step 2: Pre-Authorization

Cisco then formalized its partnership with the FCC via the requirements outlined in the FedRAMP Marketplace: Designations for Cloud Service Providers. We also prepared to undergo the complete authorization process, making any necessary technical and procedural adjustments to address federal security requirements and prepare the security deliverables required for authorization. During this stage, Cisco completed the following.

• Cisco Umbrella was fully built and functional.
• We assembled a leadership team that was 100 percent committed to the FedRAMP process.
• Cisco completed a CSP Information Form.
• We fully determined the security categorization of the data that will be placed within the system utilizing FIPS 199 categorization template along with guidance of FIPS 199 and NIST Special Publication 800-60 Volume 2 Revision 1 to correctly categorize the system based on the types of information processed, stored, and transmitted its systems.

Cisco then held a Kickoff Meeting with the Agency Sponsor to discuss the following.

• Background and functionality of the cloud service.
• Technical security of the cloud service (system architecture, authorization boundary, data flows and core security capabilities).
• All customer responsible controls that must be implemented and tested by the agency.
• Compliance gaps and remediation plans.
• A work breakdown structure, milestones, and next steps.

After successful completion of the kickoff, Umbrella was scheduled to be listed as In Process on the FedRAMP Marketplace.

Understanding FedRAMP: Authorization phase

Next up is the Authorization phase. It also consists of two steps: the Full Security Assessment and the Agency Authorization Process.  This is where Umbrella currently sits within the FedRAMP process (as of May 10^th 2023) and will now move to the following.

Authorization Step 1: Full Security Assessment

A Third-Party Assessment Organization (3PAO) will perform an independent audit of the Cisco Umbrella system (completed by Coalfire). Prior to this step, the Cloud Service Provider should ensure that the Site Security Plan (SSP) is complete and has been reviewed and approved by the Agency Sponsor. During this phase, the Security Assessment Plan (SAP) will be developed by the 3PAO. The 3PAO will then test Cisco Umbrella, creating a Security Assessment Report (SAR) which details test results and any recommendation for FedRAMP Authorization.

Once the 3PAO is finished, Cisco will develop a Plan of Action and Milestones (POA&M) based on the SAR findings (with input from the 3PAO) which will outline a plan for addressing test findings.

Authorization Step 2: Agency Authorization Process

The Agency Sponsor will conduct a security authorization package review, which may include a SAR debrief with the FedRAMP Project Management Office (PMO). Depending on the FCC review results, Cisco remediation may be required. The Agency Sponsor will also implement, test, and document customer responsible controls during this phase. Lastly, the FCC will perform a risk analysis, accept any risk, and issue an Approval to Operate (ATO). This decision is based on the Agency’s risk tolerance.

Once the Agency Sponsor provides the ATO letter for use of Cisco Umbrella, the following closes out this step:

• Cisco will upload the Authorization Package Checklist and the complete security Package (SSP, and attachments, POA&M, and Agency ATO letter (except for the security assessment material) to the FedRAMP secure repository.
• The 3PAO (Coalfire) will upload all security assessment material (SAP, SAR, and attachments) associated with the security package to FedRAMP’s secure repository.

The FedRAMP PMO will perform a review of the security assessment materials for inclusion into the FedRAMP Marketplace. The FedRAMP Marketplace listing for the service offering will be updated to reflect FedRAMP Authorized Status and the date of authorization. The security package will then be made available to agency information security personnel, to issue subsequent ATOs, by completing the FedRAMP Package Access Request Form.

After FedRAMP Authorization

Continuous Monitoring

Once it receives Authorized status for the FedRAMP Marketplace, Cisco Umbrella will enter the continuous monitoring phase. This consists of post authorization activities in support of maintaining a security authorization that meets FedRAMP requirements.

Post Authorization in FedRAMP

During the Continuous Monitoring phase, Cisco is required to provide periodic security deliverables (vulnerability scans, updated POA&M, annual security assessments, incident reports, significant change requests, etc.) to all agency customers. Each agency using the service will review the monthly and annual continuous monitoring deliverables. Cisco will also utilize the FedRAMP secure repository for posting monthly continuous monitoring material for ease of access and sharing with agency representatives.

Pushing forward on FedRAMP compliance

Our team at Cisco is continually focused on getting Cisco Umbrella FedRAMP compliant. It has successfully navigated the required kick-off meeting with the FCC and is now listed as In-Process on the FedRAMP Marketplace. Cisco Umbrella will now begin the intense audits from the 3PAO, Coalfire, that are required during the Authorization phase’s Step 1 – Full Security Assessment. Once completed, Step 2 – the Agency Authorization process, will begin. If all goes well, Cisco Umbrella will then be Authorized in the FedRAMP Marketplace. From there Cisco Umbrella will enter the Continuous Monitoring phase to meet the requirements to stay Authorized on the FedRAMP Marketplace.

As we now see, understanding FedRAMP, whether for Cisco Umbrella or any of our other FedRAMP solutions, means recognizing that it is indeed a rigorous and thorough process that is taken seriously by all stakeholders. By submitting our solutions to this process, we’re helping federal agencies create a more secure cloud and helping government innovate for the future.

Additional FedRAMP resources

• Free Trial: Cisco Umbrella
• Explore Cisco Solutions for FedRAMP
• Visit FedRAMP online
• Cisco SD-WAN Achieves FedRAMP ATO
• Get complimentary ‘Gartner®: FedRAMP Demystified’ report

[1] The Cloud First policy was intended to accelerate the pace at which the Federal Government realized the value of cloud computing by requiring agencies to evaluate safe, secure, cloud computing options before making any new investments.