Part 3 in a series.
For a look at how we reached this point, I spoke with Akamai InfoSec's Kathryn Kun, the program manager who played a critical role in getting us certified. Kathryn was one of the main lines of communication between Akamai and the FedRAMP Joint Authorization Board (JAB).
For others looking to achieve FedRAMP certification, there are four questions that must be addressed up front.
- What are the limits you need to define? As with any compliance effort, the auditors will want as much data as they can get their hands on. That's understandable. But many requests will cut too close to the safe holding your company's secret sauce. Before embarking on this journey, define the items that sit on the other side of the line that can't be crossed. If you're up front about it, the rest of the process can go more smoothly.
- Are you prepared to find a middle ground? Defining the limits is all well and good. But few things ever get done between two sides without some compromise. Be prepared to articulate the middle ground you're willing to meet at. An example for us involved FedRAMP's interest in network scanning. Akamai doesn't generally allow third-party scanning software on its boxes because it can hurt performance. Therefore we compromised on what scans, when, and how often, while offering a detailed explanation of our ongoing vulnerability management procedures.
- Are you prepared for the length of time the certification process will take? We started the process of getting FedRAMP certification in early 2012 and the process took a year. To expect quick results is to be easily disappointed. Besides, the quickest way isn't always the best way.
- Are you prepared for the long haul? Once you are certified, there's a lot of painstaking work that is ongoing for the sake of upkeep. You have to decide what types of scans you're willing to run and how often. You have to determine how often you're willing to rotate an SSH key in front of an assessor. In other words, once certified, the process is only beginning. The good news is that you already knew that from your experiences with such other regulations and industry standards as PCI DSS, HIPAA and ISO.
As Kathryn explained, pursuing FedRAMP certification was the broadest and deepest security commitment Akamai has ever made. FedRAMP's metrics have the breadth of what is required by the International Organization for Standardization (ISO) and the depth of what is required by the Payment Card Industry's Data Security Standard (PCI DSS).
"When you have proof of what you are doing, and you find more cobwebs and dust bunnies, that's a plus," she said. "As a result of this process, we have swept imperfections out from corners we had not checked in ages. It raised the bar." For example, the review process uncovered parts of Luna-Oracle that needed updating. "We weren't terribly worried about these things, but taking care of them made us even more secure," Kathryn said.
FedRAMP certification means we track our processes more vigorously than ever, write it down and hand it to the federal government each month. That we have that level of commitment weighs heavily on customers minds, she said.
"We were always trustworthy. Now we are trustworthy and we document it," she added.