Cloud companies that wish to do business with the United States federal government can only do so if they receive authorization under the Federal Risk and Authorization Management Program (FedRAMP). For a cloud service or product to get authorized through FedRAMP, its maker must demonstrate that it meets certain security standards. Given the importance and predominance of Application Programming Interfaces (APIs) in cloud computing, API security is a critical factor in achieving FedRAMP authorization. This article explores why this is the case and looks at ways API security measures can help a cloud service become FedRAMP authorized.
FedRAMP came into existence in 2012 after the federal Office of Management and Budget (OMB) recognized the need for cloud security as government agencies began to adopt cloud services. It is a government-wide program providing a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Cloud service providers and other cloud vendors, such as Software-as-a-Service (SaaS) companies, must adhere to FedRAMP standards in order to work with federal government clients. Prior to FedRAMP, each federal agency managed its own security assessment based on guidance set by the Federal Information Security Management Act of 2002 (FISMA).
Getting authorized for FedRAMP is a process that requires some commitment. It’s telling that in the 10 years since the FedRAMP Project Management Office (PMO) went into operation, just 279 products and services have been authorized. These include big names like Oracle and Salesforce.com. It is an attainable goal, however, for companies that are up for making the effort.
To get authorized, a cloud product has to pass a security assessment performed by a Third Party Assessment Organization, or FedRAMP 3PAO. This setup will be familiar to companies seeking certification with PCI-DSS payment card security standards. A 3PAO, which itself must be accredited by FedRAMP, is an independent firm that specializes in the rigorous process of assessing cloud products for security.
In particular, the 3PAO examines the cloud product’s security characteristics and determines if they are in alignment with controls defined by the National Institute of Standards and Technology (NIST) Special Publication number 800-53. This is a common practice for companies that work with the U.S. federal government or are subject to government regulation. Many of the technology and security requirements in FedRAMP are derived from standards developed by NIST.
APIs are relevant to FedRAMP authorization because APIs represent a source of risk to cloud products. A cloud product needs to show that its API security aligns with relevant controls in NIST 800-53. There are over 300 controls in the framework, grouped into “families” or control groups that apply to the “Moderate” level of FedRAMP authorization. For example, under the Access Control (AC) family, NIST 800-53 specifies 25 separate controls. These include AC-17, which deals with remote access, AC-12, which covers session termination, and so forth.
For the sake of simplicity, API security fits with nine of the 18 control families in NIST 800-53. Each of these nine families has controls that are affected by the presence and operation of APIs. For example, under Security Assessment and Authorization, known as “CA” in the framework, the CA-1 control requires policies and procedures. These include details like “Develop, document, and disseminate to [someone in a role] procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls.”
CA-1 must be applied to APIs because APIs must be subject to security policies if they are to be secure. The 3PAO will be examining a cloud product’s APIs to see if they are covered by necessary procedures to facilitate the implementation of monitoring policies.
The following are the FedRAMP NIST control families that align with API security. In each case, the Noname API security solution provides functionality that bolsters the cloud product’s potential for FedRAMP authorization:
These are some of the ways that API security is a factor in FedRAMP authorization. 3PAOs take API security into consideration when assessing the security characteristics of a cloud product applying for the FedRAMP program. API security solutions from Noname Security enable the controls and processes that help you address the API security issues in the FedRAMP authorization process.