By Andrew Ledford
What is FedRAMP
FedRAMP is the Federal Risk and Authorization Management Program. It was developed following President Barack Obama’s policy, International Strategy for Cyberspace and Cloud First, which encourages the federal adoption and use of information systems operated by cloud service providers. The development of FedRAMP was achieved collaboratively with the National Institute of Standards and Technology (NIST), the General Services Administration (GSA), the Department of Defense (DOD), the Department of Homeland Security (DHS), state and local government, and others.
Consistent with the Cloud First policy, federal agencies were encouraged to utilize cloud-based information systems operated by cloud service providers. NIST, which maintains the NIST SP 800 series of computer security publications, publishes NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. This is the control catalog used for federal information systems and organizations; it contains the requirements for FedRAMP.
The key goals of FedRAMP are to accelerate the government’s adoption of secure cloud solutions and reuse assessments and authorizations across agencies. These are accomplished through cloud service providers creating a single Authority to Operate (ATO) package, a single security assessment by an independent third-party assessment organization (3PAO), and a single set of Plan of Actions and Milestones (POA&Ms) which each agency can then access, review, and issue an ATO for on OMB Max. U.S. government agencies can request access to the Cofense FedRAMP ATO package using this form (Package ID #FR2013059515).
For additional information on FedRAMP refer to https://fedramp.gov/about.
FedRAMP vs. FISMA
Both FedRAMP and FISMA are based on the NIST SP 800-53 control catalog. This catalog includes hundreds of controls and control enhancements. The applicability of these controls is determined by the types of data the system is being used to store and process, as well as the criticality of that information system to accomplish the organization’s mission. FISMA applies to agency managed systems including on-premises systems, whereas FedRAMP applies to cloud systems managed by external cloud providers. The main differences between FedRAMP and FISMA requirements are detailed in the table below.
| Baseline | # NIST SP 800-53 Controls¹ | Other Requirements |
| FISMA Low | 124 | N/A |
| FISMA Moderate | 261 | N/A |
| FISMA High | 343 | N/A |
| FedRAMP Low Impact SaaS (Li-SaaS) | 36² | –Independent Assessor³ required to perform control assessment |
| FedRAMP Low | 125 | -Independent Assessor³ required to perform control assessment
-Independent Assessor³ required to perform infrastructure, database, and web application vulnerability scans |
| FedRAMP Moderate | 325 | -Independent Assessor³ required to perform control assessment
-Independent Assessor³ required to perform infrastructure, database, and web application vulnerability scans -Independent Assessor³ required to perform penetration testing |
| FedRAMP High | 421 | -Independent Assessor³ required to perform control assessment
-Independent Assessor³ required to perform infrastructure, database, and web application vulnerability scans -Independent Assessor³ required to perform penetration testing |
FedRAMP requires independent assessments to ensure the integrity and consistency of the security assessments.
Why did Cofense decide to pursue FedRAMP
The federal government is experiencing an increase in phishing attacks which has been exacerbated by COVID-19 and teleworking⁴. Agencies are looking for intelligent ways to defend against these attacks. In September 2020, NIST announced the development of Phish Scale to “…help organizations better train their employees to avoid a particularly dangerous form of cyberattack known as phishing.” Cofense provides phishing defense solutions created to address that particular attack threat.
Cofense’s government agency customers using PhishMe were performing their own security assessments and ATOs. These assessments, and sometimes thousands of pages of ATO documentation based on agency requirements, increase the time and complexity of using Cofense PhishMe. Agencies were left without a key phishing detection capability. Our customers sought a way to implement our phishing defense solution quickly and securely.
Based on our customers’ use cases for the Cofense PhishMe product, we determined that our system would be handling personally identifiable information (PII). It would serve as an essential protection to agencies; this resulted in Cofense PhishMe being categorized as a FedRAMP Moderate system based on Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems, and the accompanying NIST SP 800-60 Volume II, Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories. See Cofense’s blog on Why ‘Moderate’ Matters for details.
How did Cofense approach FedRAMP
Cofense evaluated our customers and the FedRAMP requirements, and determined that building out a dedicated FedRAMP environment for federal agencies would best meet these requirements. The Cofense PhishMe FedRAMP environment is deployed on AWS GovCloud, operated with U.S. citizens on U.S. soil.
Cofense’s FedRAMP environment is a government-community cloud with appropriate logical separations, authentication mechanisms meeting the NIST 800-63-3 Digital Identity Guidelines for FedRAMP Moderate systems, vulnerability management, continuous monitoring and more.
When asked how Cofense went about the FedRAMP journey, Keith Ibarguan, Cofense Chief Product Officer, said, “On the surface, it might seem that you just take your code, run it through the gauntlet and, voila, out the other side, you have an ATO. That’s definitely not the case. We worked really hard to put the software in a position where we can manage and maintain the code in the most efficient manner. We refactored everything. We uplifted the software libraries and approaches to even deploying the code end to end, across the board.”
Cofense engaged the leading FedRAMP 3PAO to conduct the assessment of Cofense PhishMe, which included an independent evaluation of the following:
- Cofense’s implementation of the 325 FedRAMP Moderate NIST SP 800-53 Controls
- Cofense’s vulnerability management practices by conducting independent vulnerability scans
- Cofense’s web application security practices by performing independent penetration testing
Conclusion
Cofense PhishMe is now FedRAMP Moderate Authorized. We’re excited to offer our managed PhishMe FedRAMP product to support federal defense against phishing attacks. Agencies can request access to the Cofense FedRAMP ATO package using this form (Package ID #FR2013059515) or contact Cofense directly.
_____________________________________________________
¹ 36 testable controls. Other controls are required to be attested to.
² JAB P-ATO require that a 3PAO be used. Agencies are encouraged to use a Third-Party Assessment Organization.
³ 3PAO as the Independent Assessor to form the CSP’s assessment.
⁴ https://www.fedscoop.com/teleworking-zero-trust-in-dod-phishing-attacks-increase/, https://us-cert.cisa.gov/ncas/alerts/aa20-099a, https://www.pcmag.com/news/phishing-attacks-increase-350-percent-amid-covid-19-quarantine
