As an independent software vendor (ISV), you’ve done all the right things in the commercial market. Customers love your product. Your product has a buzz in the industry. You carefully identify the public sector as your next target. All the meetings go well. You find a government project that’s hungry for your application.
Your application goes through a FedRAMP assessment – the last hurdle before the government can start using your application in production – then you get a call stating that your application failed the FedRAMP assessment. Full stop. Halt. All of a sudden your goals in the public sector market grind to a halt. Here are some tips on what to do next:
1. Do a postmortem of what happened during your first assessment
First of all, failing a FedRAMP assessment happens all the time. It’s nothing to be ashamed about, especially if you are just entering the public sector market for the first time. Keep in mind that the government is the most security-conscious vertical you may do business in. Even if you’re already doing business in healthcare and financial services, you’ll find that the government plays at a different level because the consequences of a data breach can threaten national security.
Plan out a mitigation strategy for the failed assessment that includes:
- Review the SAR and plan out a strategy to mitigate the open vulnerabilities found in the initial scans
- Consider bringing in more FedRAMP experience to your team which means for many ISVs a third-party consultant or FedRAMP authorized CSP/MSP
2. Be open-minded to the government’s penetration testing standards
The federal government plays at much higher security stakes than other vertical markets that you might be doing business in. It’s easy to want to push back at some of the attack vectors they want to check through penetration testing. Then again, it’s also easy to be dismissive of some of the language in the authorization letter.
Conducting a penetration test in exact accordance with FedRAMP guidance and without delays is required to gain a positive FedRAMP ATO decision.
3. Do your vulnerability scanning the “government way”
Vulnerability scanning carries a different level of importance in the public sector versus the commercial world. FedRAMP expects timely remediation of any and all vulnerabilities that scans encounter.
You must perform scans in an authenticated manner for all hosts within the authorization boundary. All plugins must be enabled too. All scanning results must be available in a format acceptable to the government:
When it comes to database vulnerability scans, they must authenticate to and scan the database itself. Environment-wide operating system (OS) vulnerability scans – already party to the FedRAMP assessment – scan the underlying database OS.
Certain Cloud Service Offering (CSO) architectures make it difficult to conduct database vulnerability scans. It’s important to note the FedRAMP requires compliance scans performed against CIS L1 benchmarks or Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs).
The Security Assessment Report (SAR) includes documentation of every open vulnerability found during the FedRAMP assessment.
You must formally document deviation requests for potential operational requirements (ORs), false positives (FPs), or risk reductions in the Plan of Action and Milestones (POA&M) and the FedRAMP Vulnerability Deviation Request Form.
Failing the FedRAMP assessment for your application isn’t the end of your federal market dreams. Rather, it’s a time for you to double-down on the security measures that FedRAMP mandates and gain a better understanding of the intricacies of federal government cybersecurity and how the government is a vertical market in its own right.
If you have recently failed a FedRAMP assessment for your application, contact us at: firstname.lastname@example.org, and we can help you get back on the road to a FedRAMP Authorization in less time and with less effort.