CarahCast: Podcasts on Technology in the Public Sector

Out with the Old, In with the New: What's Ahead for FedRamp

Episode Summary

GovExec and Carahsoft co-hosted the annual GovForward FedRAMP Summit in Washington, D.C. to discuss the evolving threat landscape of federal cloud adoption. This event brings together government experts and industry innovators to examine the impact of threat-based cloud adoption, Federal policy changes and the power of knowledge sharing that drives technological advancements.

Episode Transcription

Out with the Old, In with the New - What’s Ahead for FedRAMP

Anthony Jimenez 00:12

Welcome back to Carahcast the podcast from Carahsoft. The trusted government IT solutions provider. Subscribe to get the latest technology updates in the public sector. I'm Anthony Jimenez, your host from the Carahsoft production team. On behalf of GovExec and Carahsoft, we would like to welcome you to today's podcast focused around FedRAMP. And this session during the 2023 GovForward FedRAMP headliner summit hear from the leadership spearheading FedRAMP continued success, the priorities for the year ahead, and how an evolving threat landscape has informed new endeavors.

George Jackson 00:41

Well, good afternoon, everyone. I'm George Jackson, host to GovExec. TV. Our next session is titled Out with the Old in with the New What's Ahead for FedRAMP. I'm going to give you a quick high-level overview of what we're going to talk about here today, evolving technology that comes with risk. How is FedRAMP evolving alongside risk to meet the moment. In this session, hear from past FedRAMP leadership about continued success, priorities for the future, how an evolving threat landscape has informed new endeavors. I got a great couple of panelists here today. You may recognize this woman next to me her name is Maria Roat, currently, President MA wrote consulting, but she's also former deputy Federal Chief Information Officer of the United States, former FedRAMP director. She won the Catalyst Award this year at the Fed 100. The list goes on and on. Maria, do you want to say hi, I hope you had a great trip.

- 2 -

Maria Roat 01:44

I did. I just got back from three weeks, I was in Svalbard and Iceland and Greenland. I just got back yesterday. So over to you, George.

George Jackson 01:53

A lot of time zones short amount of time. We also have a guest joining us remotely today. Zach Benefield, principal security engineer at Tenable. Team is Zach up? So Maria, as I mentioned a few of your titles, one of them was Deputy Federal Chief Information Officer, you've also been FedRAMP director, give us a sense of how that program from your view has evolved over the past few years.

Maria Roat 02:25

The program itself has had to respond just to the constant changes in technology, right? You know, when you go back more than a decade ago, when we stood up the program, I mean, think about it, people were just starting to move to the cloud, they were just starting to think about it. And veterans had to respond to the environment, and not just respond, but to try to lean in and be proactive and understand what's going on. Fast forward. Right. We're, what 12 years later from when we stood up FedRAMP, the environments, agencies are certainly moved to the cloud, but continuing to move on the security and working in hybrid cloud environments where you're in multi cloud, and you're trying to access everything and do all your work and all of these environment. It's not just one, we talked about these ages ago, you know about what those environments would look like. And I think the program has, has, you know, tried to respond to that, right, and thinking about the security and the layers and how you build all of that in and try to do it for the entire federal government and handle all the change that comes with that to get the adoption, because I think that was critically important as well. But responding to the ongoing continuous technology continues to change, right? Everybody knows what that curve looks like. And the program has to continue to evolve to, to be able to respond to that.

- 3 -

George Jackson 03:44

I don't want to date you, Maria. But take us back to before then why FedRAMP in the first place. What set of challenges was FedRAMP trying to address?

Maria Roat 03:56

You know, the originally, right? When you when you look at FedRAMP? It was how do you standardize cybersecurity in the cloud? For all the cloud providers, right, and how do you do that once for the entire federal government? Right. That was really the discussion around that, how do we do this for the whole federal government? And that was huge, because agencies, you know, and they continue to do that be protective of, well, you know, if somebody else does an authorization, it's not good enough for me, right? And vice versa. And really, this was really driving to standardize that to cut down costs for the cloud service providers for industry, for everybody that had to deal with it and cut down the time and the manpower that it took you do it once. Right. One to many relationships. You had to do this for everybody. And to get the agencies to do it. It was really hard for that adoption early on because nobody trusted anybody. And I don't know that that's changed much. Folks here can tell me that. I mean, I know talking to people, but you know, it's You have to evolve and continue with that trust across the federal government to accept the authorizations that somebody else did for a particular environment.

George Jackson 05:09

Zach let's talk cybersecurity. How has that landscape evolved over the past several years? You know, we were just talking about FedRAMP, and how it has evolved, why it started? What about cybersecurity? What about that landscape.

Zach Bennefield 05:23

- 4 -

So, this has been really interesting to watch. I'm one of those individuals that got started very early, right, I dove into InfoSec, and about 12 years old. So, I've got to watch decades of evolution at this point. And really, we're kind of in an unprecedented time in cyber, right, the threat landscape is evolving, and both speed and scope. Every day that passes brings us new threats in the form of exploits, people and new capabilities. So, consider this, when you release a new product, platform or capability into the wild, it generally brings with it new threats, right vulnerability in the code, libraries, infrastructure, people, it expands your attack surface. And it really becomes critical to maintain a state of continuous monitoring, prioritization and remediation around, literally everything in your infrastructure. So, keep in mind, when I say remediation, I don't just mean patching, don't get me wrong, patching is great, it's unnecessary. But organizations need to understand that threats encompass so much more than what we would traditionally look at as exploits. You have to look at the people the permissions, the code, the attack, surface, all of it. To get a true understanding of your threat posture. You also need to come to terms with your threat tolerance, right? Because let's face that you can't eliminate every threat. Some things are a necessary evil due to budget, operational, tempo or resources.

Maria Roat 06:43

Yeah, and I think, you know, adding on to what Zach said, when you look at the landscape, right? That evolving landscape and what that looks like, you have to be able to be predictive in many ways, right? Understanding the trends, doing the analysis, using those tools capability, so that you can, those trends are really important to you understand what's normal on your environment and what's not normal, I think, you know, adding on to what Zach just said that that's just so important to be able to be proactive and not wait for something to say, Oh, well, you got a problem. Well, that was so three days ago, I'm screwed, right? So,

- 5 -

you have to be able to understand that environment and be able to lean in and be proactive.

George Jackson 07:26

Zach, what are some of your top areas of focus right now?

Zach Bennefield 07:32

Oh, so right now, you know, some of the top areas of focus, I think would be cloud computing, obviously, AI huge right now and identity. So, organizations generally have a good grasp on their own prem. Right. That's not to say they have it figured out or they're doing a perfect job at it for but for the most part on prem has largely stayed the same for years. As we saw the inception of cloud computing, which was wonderful and incredible. It introduced new challenges and threats that we couldn't have thought of 15 years ago, you know, you've got things like you femoral assets, you know, looking at containerization technologies, that are introducing vulnerabilities and attack surface that are honestly too quick to patch or mitigate in a standard way. So, you have to really evolve the way that you're looking at your risk looking at your mitigations. Secondly, AI. So, AI has become a bit of an obsession for me in the past year. It's nice to see it start going from the movie anecdotes right to mainstream platforms. And nearly every presentation we've seen today is talked about it in one way or another. So, it's going to become a necessary tool to do our jobs effectively and efficiently. But it's also going to continue to breed threats. More realistic phishing campaigns come to mind, code analysis for vulnerabilities, attacks against web facing devices and critical infrastructure. These are things that are going to really start to ramp up with the help of AI, so we're going to also need to use it to identify, you know, what's going on, how can I mitigate? How can I detect? You know, so as it increases the speed of attacks, if we're going to need to use it to increase the speed of defenses. And then lastly, on the focuses list, I think, and this is one that's often overlooked, so it becomes one of my

- 6 -

favorites to talk about identity. You know, people overlook identity and that as a former exploiter makes me happy or made me happy when I was in that role, right? So, if I have two machines on my network with the same critical vulnerability, let's say remote code execution. Computer A may belong to Susan my system admin computer B may belong to Tom my front desk receptionist. Generally, organizations look at this as a vulnerability of vulnerability is a vulnerability without taking the context of the user. If I attack Susan's computer and gain access, I could very well skip five steps towards domain takeover because of the inherent permissions that Susan has over Tom. This has been and continues to be one of the biggest pieces of the threat landscape across bad actors, ransomware and internal threats. So, organizations really need to get a serious grasp on their identity infrastructure, their misconfigurations and their permission sets, and cloud makes this more complicated, right? Because we've got permissions and roles in cloud that we didn't have in standard on prem instances, lack of identity on your or lack of understanding on your identity will really almost always lead to infrastructure takeover. So, you've really got to, you know, home in on that get a good grasp on your identity services focusses in because it's decades old technology that's still being exploited. And every day it gets more and more complicated to understand, enforce, and you know, really get a grasp of.

George Jackson 10:38

He's not saying it, but identity is a big part of the Cybersecurity Executive Order the government push toward Zero Trust. Is there a connection? Maria, between Zero Trust and FedRAMP?

Maria Roat 10:53

Yes. When you look at it, what's necessary, right, Zero Trust is not a one and done, right? That's a multiyear layered, it's a maturity, it's an evolution. And a lot of this comes back to what Zach was talking about getting back to basics even,

- 7 -

right? So, when he talked about AI in this notion, and when you look at Zero Trust, right, understanding who's on your network, what do they have access to? What's the relationship? And then when you have FedRAMP, right, a lot of that's compliance. And that's back to basics. Are you complying with what you need to, and you need to go above and beyond to be able to secure your network, right? So, there's, there's tie ins across the board on all of this, because while you have FedRAMP, that says, here's the minimum things you need to do and here's what you need to do to secure your network, but that's not the be all end all. There's more to it than that when you start laying in the threats and the AI and what you can do in this entire space, holy cow in FedRAMP is not the be all end all you've got so many other things from an operational perspective that you have to pay attention to. It's not just about compliance, it's the entire operations landscape.

George Jackson 12:05

Where else can agencies, organizations, Zach, look for guidance? You know, you mentioned the cybersecurity Executive Order, there's obviously the FedRAMP PMO, the program management office, where else should they be looking for information to help them improve this nexus between cloud computing cybersecurity?

Zach Bennefield 12:23

We have compliance standards, and there are a lot of organizations that take their compliance standards and just say, okay, we check the box. Good, right? You know, you've got to put your, your mission into your mindset, you've got to start looking at, okay, we've checked the Box on everything that the compliance standards tell us to do, what else should we be doing? So, we can look at all the different compliance standards out there, you know, they’re multinational, they're across federal government, they're across industry, but you can also look at what industry is doing, right? How are other industry leaders protecting themselves? What kind of mitigating practices are they putting in place? What

- 8 -

can we gleam out of threat intelligence, right? Yes, I've got a 16-character password limit, that's great. But I need to be aware of what bad actors are exploiting in the wild. So, you definitely need to take a step back from the compliance mandates, once you have that handled and figure out what is everyone else doing what's effective, right? I often, you know, try to get CISOs to talk to each other. And some of them do, a lot of them are well connected. But every now and then you run into them, and they're like, well, this is this is my program, this is how I'm going to do it. And it's like, well, that's great, but you need to look at what the industry practices are doing. You know, you've got to figure out what's happening in the wild because it honestly is a day-by-day battle, right? It's not a sit it and forget it kind of thing. tools, tactics and procedures are changing every day.

Maria Roat 13:45

Just to add on to that. So, I go back when I was the CIO for the Small Business Administration, right? We leveraged FedRAMP. We leverage the ATOs, yay. But that was compliance. Okay. But what else did I have to do? We had a bank, we had billions of dollars in in loans and grants that we were dealing with. So we were in effect, we the SBA is a bank, you know, people don't think about it, but it was bank billions and billions of dollars, you know, for small businesses across the entire country. And I had to keep in mind that operational aspect and those threats from a financial perspective, right. What is targeting the financial sector? I had to pay attention. What are those threat actors that are out there? This gets entirely back to the mission, and who's paying attention? Right. So, I had relationships, and I did talk to CIOs from a lot of the banks that were out there, you know, about what they were seeing what we were seeing. We had information exchanges, and I had a threat hunting team that also was out there. So, it wasn't just that I leveraged FedRAMP, and I checked the blocks and compliance. I had to pay attention to all of this other threat landscape and all

- 9 -

the operational things that were going on not just in my network, but what else was coming at me because we had billions of dollars that we were dealing with.

George Jackson 14:58

To that point. We're in different era? I mean, should AI systems have an ATO?

Maria Roat 15:05

That's a great question. I, you know, somebody slipped me a paper yesterday, I haven't had a chance to really look at it. But it was talking about a risk management framework around AI systems. And I got to thinking about it. And I've not read the paper, and it's entirely, but I got to thinking about it a little bit. And I said, well, you've got algorithms, right? How do you know the algorithms are doing it 90% of your tools, you're going to buy off the shelf, we're going to have AI built in the other 10%, maybe I'm making up the numbers, the other 10% are going to be somebody building an algorithm doing a thing. But a lot of these other ones are going to be built in and how do you know what those algorithms are and how they operate and what they're doing? I don't know what that model is going to look like, or what that should look like around risk, around algorithms. But I'm glad to see people are thinking about it, right? When you have all those algorithms who built the algorithms, there's biases built into those algorithms. And there could be inherent risks within those right, we're talking about security, cybersecurity around it. What are those risks within those algorithms that you need to pay attention? Not just the privacy and all the rest of it that go along with it. But how do you understand this?

George Jackson 16:13

From Zach, because you're not in the room? I'm not 100% sure that you are not, in fact, an algorithm yourself, but I would like to know where you think automation fits into this discussion as well, sir.

- 10 -

Zach Bennefield 16:26

We'll talk a little bit about that previous question as well, I think absolutely. There needs to be, you know, compliance mandates put in place for AI models. I recently sat down with a software engineer, brilliant software engineer could do, really anything that I needed him to do. And he couldn't change the network settings on his computer didn't know how, right so I think everybody has their expertise. So if you've got a developer that may not be security conscious, you know, they may not be building in the things that say, "Hey, don't, don't allow, you know, an authenticated access to the back end models, don't allow, you know, X, Y, and Z". So, I think that's really where compliance standard comes in. And then when you look at automation, and how that fits into the discussion, resources, right, so ask any organization, and they'll tell you, they need more people. Sometimes I'm seeing that they don't have a cohesive story with their tools. So that can be an issue or sometimes they just literally don't have enough people to meet the mission. So, I think as you're looking at automation, that's really how you go from an immature to a mature organization, right. And I'm not talking about just InfoSec, I'm talking about development, InfoSec it all of it, that's really how you, you know, you move the gauntlet from hey, we've got four people to do this entire thing to okay, well, we've got four people, but we can use AI and we can use automation to do 60% of the tasks that they would have done without now that frees them up to do the other 40% and add additional taskings onto their workload.

George Jackson 17:54

I've got a couple more questions, then we'll take questions here from the audience. Maria, before we came on stage, you mentioned the role of continued value proposition in this discussion, you know, what is FedRAMP need most right now, that should be in the equation?

Maria Roat 18:10

- 11 -

Yeah, we were talking about this a little bit, you know, looking ahead, you know, for FedRAMP? You know, what is that continued value proposition for the federal government? What are the services that they need to provide that the agencies are going to use and continue to use and need, not just by mandate, but because it's the right thing to do? And this, this comes back to the value proposition, right. For industry, you know, there's a lot of costs when you're going through FedRAMP and your authorization. And I talked to somebody a few weeks ago, and he's a small business running it, and he says, oh, I got to go through all this. I don't know how I'm going to do it. And it's going to cost me money. And I think that value proposition is so critical and important for the program, that it continues to provide value, right? Why? Start with why. Why are we continuing to have this program? Yes, it's in law now. Yes, it is. But why? Why are we doing what we're doing? And is it evolving where it needs to be in this goes back to the very first question that we had today? Is it evolving to meet the needs of the agencies as technology changes? This is ultimately about that value proposition because businesses out there big and small, have to spend money to get their authorization. It takes time and it takes money, and it takes people, and it takes all these resources. And that is so critical for the program that they continue convey that problem.

George Jackson 19:28

Zach, what kind of communication has to happen between your development, your operations, your security teams, so there's universal agreement on where any individual application fits into what you've called the FIPS landscape? Federal Information Processing Standards?

Zach Bennefield 19:51

Yeah, so let's take it back to 2002 right with FISMA. So, they kind of laid down or he kind of laid down the gauntlet on everybody in the government and those working with the government and private industry. And as part of that required

- 12 -

FIPS for data at risk, it's, you know, how are we going to protect our data at rest our data in transit? What does our hashing look like? What should our encryption look like? Do you need to keep up with a validation process? Right? Do I need FIPS validated algorithms if you go through a process like FedRAMP, or NIAP, and all the things that come along with that? So, these things, you know, they're, they're why it's so critical for your internal teams to communicate and plan. Obviously, we like to think teams communicate, and they lay out their requirements. Well, but that's not always the case. So, you can have your security team saying, hey, we need to use FIPS algorithms while the development team is saying, okay, great, what's that? It becomes really important that you have mechanisms in place where you can collaborate on these types of plans. So maybe a portion of your platform can't use certain algorithms because they break communication flow, right? You can't have a security team blindly saying you will use this algorithm, you really need to have that cohesive conversation on okay, here's what's available that we can use according to FIPS. But what out of these algorithms meets our requirements, right? And then these things need to be well, and I hate this word, documented. I get my hands slapped more times over documentation than anything else in my career, because I have to force myself to do it. But inherently documentation is one of the most important parts of an organization for development, auditing, understanding, delivery, every piece of it. So a well-developed documentation process will help you across the board, whether you're going through an authorization process, or explaining why you need to use a specific algorithm, and why a dev can't just change that.

George Jackson 21:38

There you go. Audience Maria Roat, former deputy Federal Chief Information Officer in the United States and Zach Benfield with Tenable. Thanks for being here. Maria, you can have.

- 13 -

Maria Roat 21:50

Thank you, George!

George Jackson 21:51

Thanks, everybody.

Maria Roat 21:52

Thanks Zach!

Anthony Jimenez 21:53

Thanks for listening. And thank you to our speakers, Maria Roat, Zach Bennefield and George Jackson. Don't forget to like, comment, and subscribe to Carahcast and be sure to listen to our other discussions. If you'd like more information on how care soft can assist your organization, please visit www.carahsoft.com or email us at fedramp@carahsoft.com. Thanks again for listening and have a great day.