Site icon

What Is the Threat-Based Risk Profiling Methodology in FedRAMP?

In February 2022, the FedRAMP Program Management Office updated the rules for their threat-based profiling methodology. This little-known approach to FedRAMP risk profiling and the rating security controls serves as the program’s effort to streamline authorization and program management with industry knowledge and agile development methodologies. 

Why Would the FedRAMP PMO Look for a Risk Profiling Methodology?

FedRAMP is a unified and comprehensive approach to cybersecurity for cloud service providers and government agencies. This framework provides these organizations with the guidelines and tools they need to assess security needs (on the part of agencies) and proper security control implementation and maturity (on the part of CSPs). 

One of the challenges of this framework, however, is the wide range of applicability of control families. FedRAMP primarily draws from NIST Special Publication 800-53, a relatively stable set of standards that these organizations may follow. But, depending on the actual needs and capabilities of all stakeholders, CSPs may find themselves with different infrastructures serving different requirements across different agencies. 

Therefore, the FedRAMP Office of Management and Budget (OMB) coordinated with the Program Management Office (PMO) to create a study on the feasibility of developing an agile way to assess security controls and streamline cloud offering authorizations. 

The FedRAMP Threat-Based Risk Profiling Methodology emerged from this study. The goals of this methodology are threefold:

As part of this coordinated study, the PMO also worked with the two cybersecurity threat analysis frameworks to develop an applied assessment model for controls in NIST SP 800-53. These include:

Primarily leaning on the .govCAR team, the PMO was able to align a methodology utilizing rigorous government and private-industry standards.

 

What Are the Three Phases of the FedRAMP Risk Profiling Methodology?

The meat of the methodology is a three-phase process that moves from analysis to assessment and profiling:

Phase 1: Threat-Based Analysis

Currently, there is a set of standard baselines for FedRAMP Authorization… but these baselines are spread across different cloud offerings, security systems, and agency demands. This means that Authorization packages may need to adopt different security implementations based on agency relationships and industries.

The core of this particular methodology is to establish potential “common values” that can align with the baseline FedRAMP criteria. Controls from NIST SP 800-53 were scored using the .govCAR process and rated on their capability to Protect, Detect, and Respond against threats and threat actions in industry-standard frameworks like MITRE ATT&CK. For each category (Protect, Detect, Respond) the control would receive a value of Limited, Moderate, Significant, or Not Applicable to illustrate its importance to that category.

The process took almost a year, and the departments wanted to streamline the remaining NIST 800-53 revision 4 controls along with new controls and changes in revision 5. This led to a comprehensive process in which controls were scored using one of the following approaches:

Phase 2: Security Control Assessments

These security controls were then “deconstructed” into more granular control items. These items were more concrete reflections of security capabilities, each of which can be tested for defects. 

At this phase, the implementation of a security control item could be assessed with a status of either Satisfied or Other than satisfied. Furthermore, the assessment of implementation and defects could be automated using the control items as inputs. 

 

Phase 3: Risk Profiling

Using a calculation that takes the values assigned to NIST 800-53 security controls and the satisfied (or unsatisfied) score of each control item, this model can then provide a maturity level based on the NIST Interagency Report (NISTIR) 8011.

The 16 capabilities in NISTIR 8011 used to measure maturity include:

 

Consider Implementing Risk Profiling with Continuum GRC

Risk maturity and profiling are potent and effective approaches to security and compliance, and the authorities in FedRAMP have made it clear that they see it as a potential component of their program.

The best way to prepare for such a methodology is to have a solution that allows you to measure compliance and risk together, visually and in real time. That solution is Continuum GRC.

Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

[wpforms id= “43885”]

Exit mobile version