Saviynt received its FedRAMP ATO (Authority to Operate) on March 1st, 2019. This marked a major milestone in strengthening the maturity of our cloud operations, security posture, and customer confidence. Receiving the FedRAMP ATO was a 20 months arduous journey and a testament to our team’s sheer hard work, perseverance and in-depth understanding of cloud technology.
This blog aims to provide insights into what worked for us and to help organizations who are planning to or are already on this journey
Our FedRAMP journey was done roughly in three phases:
- Research and Awareness Phase
- Execution Phase
- Consolidation Phase
Research and Awareness Phase (4 Months)
This phase was germane to get an in-depth understanding of what we were getting into. We did this in the following ways
1. Learning from industry experience
Learning from the experiences of others who have gone through this journey, auditors and advisors were imperative before we started this journey and helped us tremendously in crafting our strategy. FedRAMP workshops, panel discussions, and cloud security-focused conferences not only gave insights into the process but helped us in avoiding some common pitfalls.
Learn from auditors, advisors and collect best practices to avoid making costly mistakes. Don’t listen only to consultants
2. Impact analysis on financial implications, resource needs, and priority shifts are imperative
FedRAMP certification requires huge investments in terms of money, time and effort. Gaining an understanding of these investments early on in the process, helped us plan better on all fronts. These investments vary largely based on the boundary definition (see point 5 below), chosen platform (on-premise, cloud, hybrid, etc.) and business processes. Impact on other organizational initiatives was a key outcome of this analysis, allowing us to align and channelize our efforts and stay focused toward a common goal.
FedRAMP journey is very expensive. Conduct an impact analysis before getting into it.
3. Creating awareness within our organization
During our early planning days, we believed FedRAMP impacts technology and entails working tirelessly with Engineering teams. Learning from the industry experts proved us wrong. FedRAMP certification touches almost every business unit of your organization including Sales, HR, Finance, Info Sec, Operations, Engineering, QA, DevOps, Platform, etc. Creating awareness within our business units, setting expectations and the desired outcomes, proved extremely valuable in our journey. We recognized our processes across the board including engineering will get better, not just germane to the public sector.
Reduce last minute surprises, by creating awareness internally. FedRAMP is not only for public sector. It ameliorates entire organization’s maturity
4. Understanding the NIST 800-53 Framework
FedRAMP certification leverages the NIST 800-53 framework and requires organizations to comply with the security controls defined per its specifications. An in-depth analysis of the NIST framework, mapping the controls to specific as-is procedures and policies in our environment, laid the groundwork to begin the execution phase of our journey. The early analysis and mapping exercise of NIST controls to our AS-IS platform and processes proved to be very effective in defining our boundary (see execution phase below) as well as mark the controls not in scope for us.
Removing controls not in scope is key to managing the overall certification timelines and optimizing investments
Execution Phase (10 Months)
Research and planning activities were over. It was time to execute. We started with our boundary definition!
5. Defining, refining, refining and refining our boundary
Boundary definition is the most important and fundamental step in an organization’s FedRAMP journey. Boundary refers to the scope of the system/platform which will be considered for FedRAMP evaluation. Defining and refining the boundary over several iterations helped us in setting clear goals and expectations within our teams. Clear definition of boundary helped us in articulating the NIST 800-53 controls which would apply to our boundary vs the ones which won’t. This also helped in refining our resource needs, timelines and dollar projections. Improper, Incorrect or Ambiguous boundary definitions can hurt organizations in their ATO process and lead to longer certification cycle, rework and confusion.
Protect your investments, by defining your boundary correctly and appropriately. Defining the boundary precisely is the first milestone towards success
6. Conducting an early GAP assessment by engaging a 3PAO (3rd Party Assessment Organization)
Conducting an early gap assessment on the defined boundary was pivotal to our success. Saviynt engaged Coalfire team to get this assessment done. Not only it helped us in refining and validating our boundary, but also helped in gauging our readiness and the amount of work required to make it happen. Coalfire was instrumental in doing an in-depth gap assessment and helped Saviynt team to understand the gaps, prioritize them as well as craft a mitigation strategy to address the same.
Early investment in a 3PAO is an effective strategy. Knowing the gaps early in the process is key for prioritization, boundary validation and plan adjustments.
7. Continuous engagement with a sponsor is key
Working continuously with Saviynt’s sponsor to seek advice, provide progress updates as well as getting guidance was extremely valuable. This helped both the teams to be in sync and working towards a common goal with focused attention.
Gaining advice, insights from sponsor is imperative. Use it diligently and effectively to craft your strategy and execution
8. Engaging a 3rd party organization for documentation
FedRAMP certification demands substantial documentation on system designs, policies, operating procedures, boundary definitions, etc. FedRAMP documentation was unique in its specifications, in terms of language, structure, and even system definitions. We decided to leverage a 3rd party organization to help us with creating the key documents (SSP (System Security Plan)). This allowed us to save time, focus on areas demanding higher priority and attention. This also helped in avoiding documentation errors, which is quite easy to have in this process.
FedRAMP documentation needs are very unique and of a different style. Delegating activities is key to remain focused. Know your strengths and plan accordingly
9. Getting entire team onsite during 3PAO Audit
Saviynt engaged Coalfire to conduct its FedRAMP 3PAO Audit. Needless to say, it’s an intense audit spanning for several days. All the in-scope controls validation, penetration testing, platform scans, interviews with business unit team members, processes and policy validations are some of the key activities happening during the audit. Saviynt brought its entire platform team onsite, as well as key members from various business units to participate in an audit. This resulted in swift evidence gathering, with quick turnaround time in providing responses and closing the open items. Working on multiple tracks during the audit worked very well for us and is highly recommended. The Coalfire team played a very important role in conducting the audit diligently, highly optimized and timely manner.
3PAO audit is an extremely intense exercise and collocating the teams during this exercise is highly effective. Working with the 3PAO team in advance to plan for this event maximizes the success of it.
Consolidation Phase (6 Months)
This is the most important phase, requiring a lot of rigor, discipline, and determination to get through. Get ready for the curveballs!!
10. Preparing for the unexpected
We learned in our research phase; curveballs are almost certain. We did anticipate and plan for a few of them. However, the unexpected still happened both in technology and business processes. During planning, we agreed as a team to have quick reaction time, reprioritization and added investments if necessary. This consensus was vital in cutting the procrastination and moving to Plan B.
Have a Plan B. If you don’t have plan B, create one and move on. Swift reaction time is key!!
11. Multiple review sessions before the final package submission to FedRAMP PMO (Program Management Office)
Documentation effort is substantial in FedRAMP certification. It’s quite likely that multiple teams/members would be working on these which results in inconsistencies leading to incorrect interpretations and messaging in deliverables. Boundary diagrams, System Security Plan (SSP), System and Security Policies are extremely important documents in the FedRAMP package and can easily span a couple of hundred pages. Saviynt formed a core team responsible for collating the info from other team members and then adding the same to the core documents in the package. This was followed by multiple review sessions, resulting in documents with consistent messaging.
Review multiple times. Inconsistencies will exist. Minimize them as much as possible. Incorrect/Inconsistent documents will hurt timelines
12. Prepare well before the final meeting with PMO Auditors
The meeting with PMO auditors is tough. It is supposed to be. Preparing well for this meeting was key to our success. Reviewing comments received from PMO in detail, documentation changes as well as creating detailed slides for comments requiring explanations were some of the key activities, we finished, before walking into the room. Explaining the system, platform and processes with confidence was absolutely necessary. Our internal rehearsals, multiple review sessions served the purpose to deliver this with no errors.
The mantra is ‘prepare for more than asked’. Rehearse well. Know your systems and deliver with confidence.
These principles worked well for Saviynt and I hope at least some of them work well for organizations who are or are going to embark on this journey. Wishing you all the very best!
Enjoy the FedRAMP roller coaster!!