Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP is important since it’s the gold standard for assessing cloud service providers (CSP) within the government. Under this program, authorized FedRAMP cloud service providers can provide services for US government agencies.
- Creates and manages a core set of processes to ensure effective, repeatable cloud security for the government
- Facilitates the shift from insecure, tethered, tedious IT to secure, mobile, nimble, and quick IT
- Has an established marketplace of the types of solutions federal agencies need
- Promotes reusability and facilitates collaborations across government through open exchanges of lessons learned, use cases, and tactical solutions
- Assists and provides guidance to agencies, cloud service providers, and third-party organizations to support their move to modern, secure cloud technologies.
FedRAMP Provides Service to Three Categories of Partners:
- FEDERAL AGENCIES: FedRAMP provides the opportunity for agencies to save money and time by adopting innovative cloud services to meet their critical mission needs.
- CLOUD SERVICE PROVIDERS: FedRAMP authorized vendors offer cloud services that allow federal agencies to securely and quickly meet their mission needs.
- THIRD PARTY ASSESSMENT ORGANIZATIONS: 3PAOs perform initial and periodic assessments of cloud systems to ensure they meet FedRAMP requirements.
Accelerating FedRAMP Compliance
When it comes to the development and deployment of cloud products and services, FedRAMP compliance scrutinizes the software development lifecycle. Today, developers are stuck with highly manual, error-prone, and resource intensive processes that don’t meet the FedRAMP requirements.
The following factors are common blockers of FedRAMP compliance:
- NO HOLISTIC VIEW: Lack of visibility into the entire delivery process makes it harder to centralize governance, establish the necessary internal controls, and understand where inefficiencies occur within deployment pipelines.
- LOW DEPLOYMENT VELOCITY: Manual deployment processes can be error-prone and resource intensive. Add in the need to deploy to air-gapped environments like GovCloud and your ability to deploy software grinds to a crawl.
- POOR RELIABILITY & SECURITY: Lack of visibility, automation, and rollback capabilities increases the risk associated with deploying into production and impacts the confidence of the developers.
- LACK OF ACCESS: When deploying to a FedRAMP environment, you often can’t give all developers access to it. By making deployments automated and consistent across environments, you enable FedRAMP environments to be deployed through the same automation developers maintain for non-FedRAMP environments.
With Spinnaker, you can automate the software delivery process and streamline what was previously highly manual, resource intensive, and error-prone.
How Spinnaker and Armory Accelerate FedRAMP Compliance
Today’s tooling falls short in addressing the various controls to both achieve and maintain FedRAMP compliance over time.
Spinnaker, the open source, multi-cloud, continuous delivery platform, coupled with Armory’s security and compliance plugins, can help you deploy software changes to production quickly, safely, and automatically.
Spinnaker supports FedRAMP compliance by streamlining the software delivery process.
With Spinnaker you can:
- Automate deployment across multiple cloud accounts, regions, and cloud providers into continuous deployment pipelines
- Design and automate a delivery process that fits your release cadence and the business criticality of your application
- Structure deployments from customizable pieces
- Ensure safety across cluster deployments and pipeline executions
- Integrate automated testing techniques, such as smoke tests or automated canary analysis into the delivery process
- Leverage the same deployment pipeline when deploying to your Infosec environment vs. other production environments
- Leverage Armory Policy Engine to ensure pipeline logic supports required FedRAMP controls
For a detailed case study of Spinnaker in action, go to: How Lookout Leveraged Spinnaker for FedRAMP Compliance.