Government responses to evolving security threats have, to more or less a degree, started to incorporate advanced mitigation postures that reflect a world of networked systems and complex digital supply chains. 

To address this changing landscape, the president issued Executive Order 14028, “Executive Order on Improving the Nation’s Cybersecurity.” This 2021 order introduced a zero-trust approach to security and stricter requirements for authorization processes and baseline requirements. 

This article will discuss how some aspects of this executive order are impacting or will impact, FedRAMP Authorization for cloud service offerings. 

What Is Executive Order 14028?

EO 14028 introduced stricter requirements for government agencies, emphasizing data protection by requiring these agencies and their partners to adopt zero-trust infrastructure. 

While there are some specific details included in 14208 around implementation and expectations (which we’ve written about previously), the overarching goal is to align the government and its supply chain such that it may better resist threats presented by attackers, specifically Advanced Persistent Threats (APTs). 

What Is Zero-Trust Security?

“Zero trust” is a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters and must verify anything—everything trying to connect to its systems before granting access.

The zero trust model follows several fundamental principles to ensure the network’s security. 

These principles include:

• Verify Explicitly: Always authenticate and authorize based on all available data points, such as user identity, location, device health, service or workload, data classification, and anomalies.
• Least Privilege Access: Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection in the network.
• Always Assume Breach: Instead of assuming everything inside the network is safe, zero trust assumes a breach has already happened. Minimize the potential damage (blast radius) from breaches and prevent lateral movement by segmenting access by network, user, devices, and application awareness.
• Network Segmentation: Network segmentation is a key aspect of zero trust. By breaking the network into smaller parts, you can reduce the attack surface and limit the potential damage of a breach.
• Zero User Trust: Zero trust systems don’t automatically trust users based on their network location. Instead, trust is established through continual verification and validation of the user’s identity and their device’s security posture.
• Automation and Orchestration: Implementing automated security policies and threat responses is a key part of a zero-trust model. This includes automating verifying user and device identities and coordinating responses to detected threats.
• Threat Intelligence and Analytics: Regularly collect and analyze data about emerging threats. Use this information to update and improve security policies and protocols continually.

These principles work together to provide a holistic approach to network security, ensuring that every access request is fully authenticated, authorized, and encrypted before it’s granted.

The Impact on FedRAMP

According to the FedRAMP website, a critical document for implementing this order is Memorandum 21-31 (M-21-31). This document guides taking existing security standards and tools and modernizing them into a zero-trust framework. 

However, this doesn’t translate into a needed action for CSOs already meeting their FedRAMP Authorization. What it means is that these CSOs, when working with an agency with zero-trust requirements, must meet those requirements per that agency’s RFP. 

These are particularly important as it relates to a few specific controls in NIST SP 800-53 (Revision 5):

• AC-4 (Information Flow Enforcement): As data potentially moves between an agency with zero-trust requirements and a FedRAMP-Authorized CSP, the provider must have controls in place that prevent encrypted information from bypassing control mechanisms through decryption, connection termination, or blocking data flows. 
• AU-11 (Audit Record Retention): CSPs should retain audit controls such that after-the-fact investigations into incidents may occur or FOIA requests are required by law. 
• SI-4 (System Monitoring): CSPs must be able to provide the system monitoring and identification processes outlined in NIST 800-53 to support zero-support systems–namely, the requirement that zero-trust architectures have monitoring for all system events. 

What Are Key Components of a Zero-Trust Architecture?

With the requirements mentioned earlier for zero-trust systems, an organization can begin to map standard controls into its FedRAMP Authorization plan. 

Some of the common controls, processes, and procedures for a comprehensive zero-trust system include:

• Identity and Access Management (IAM): Every individual and device trying to access resources in the cloud should be verified and authenticated. This usually involves multi-factor authentication (MFA) and stringent access controls.
• Principle of Least Privilege (PoLP): This involves ensuring that users only have access to the resources and information needed to perform their job functions. This limits the potential exposure of sensitive information and resources.
• Physical and Logical Network and Cloud: Cloud environments should be divided into secure and manageable segments. If an attacker compromises one part of the system, micro-segmentation prevents them from easily moving laterally to other parts of the system.
  
• Encryption: All data, both in transit and at rest, should be encrypted. This ensures that even if an attacker gets hold of the data, they cannot read or use it without the correct decryption keys.
• Continuous Monitoring and Analytics: It’s crucial to monitor and log all network activities and use analytics to identify abnormal or suspicious behavior. This is often achieved through security information and event management (SIEM) systems and other threat detection tools.
  
• Automated Security Policies: Using AI and machine learning, cloud service providers can enforce security policies across their entire cloud environment. This can include automatically blocking or limiting access if suspicious behavior is detected.
• API Security: Since cloud services often expose APIs for integration with other services, securing these APIs is crucial in a zero-trust model. This includes authenticating and authorizing API calls and protecting against attacks like DDoS.
• Endpoint Security: All devices connecting to the network, including personal and IoT devices, must be secured. This can involve mobile device management (MDM) or endpoint detection and response (EDR) solutions.
  

By implementing these strategies, a cloud service provider can integrate zero-trust architecture into their product offering, providing a more secure and trustworthy service for their users.

Integrate Zero Trust Principles Into Your FedRAMP Authorization with Lazarus Alliance

If your cloud offering is facing specific needs and challenges based on this executive order or the demands of your sponsoring agency, then you’ll need a partner to ensure you meet those requirements. That partner is Lazarus Alliance.