What about FedRAMP?

If you're looking for my pandemic posts, go here.

After last week’s post on CIP and the cloud – which painted a pretty gloomy picture of the likelihood that BES Cyber Systems will be able to be “legally” (as far as CIP is concerned ) placed in the cloud in the near future – a good friend of mine, who is CISO of a large NERC entity, dropped me an email which led to a good exchange in which we discussed three major points. This post discusses one of those points. I’ll discuss the other two in subsequent posts.

My friend started off by pointing out that a FedRAMP certification could easily be seen as evidence of compliance with a number of the CIP-003 through CIP-011 requirements, since it’s doubtful there’s any requirement in those standards that isn’t addressed in some way in FedRAMP already. He also noted that at least a couple groups within NERC or one of the Regions have engaged with one of the major cloud providers, presumably to see how perhaps some of the FedRAMP controls might be accepted as compliance evidence for at least some CIP risks.

This idea has been discussed for a while, especially within the Compliance Input Working Group (CIWG) of the late, lamented NERC CIPC (which was this year swallowed whole – and thoroughly digested, it seems - by the new Reliability and Security Technical Committee or RSTC). However, it hasn’t been discussed in the concept of BCS in the cloud – just of BCS Information (BCSI) in the cloud.

In fact, the CIWG discussed this idea when they started considering how the CIP standards could be modified to allow BCSI to be stored in the cloud at least a couple of years ago. As I discussed briefly in the previous post, the drafting team that was later assigned the task of making this happen has focused on a different solution to the problem, which I prefer because it takes a more comprehensive, risk-based approach. But I believe the immediate BCSI problem could also have been solved by changing the Measures for the requirements in question, so that FedRAMP certification would be accepted as evidence of compliance.

However, my previous post pointed out that the problem of BCSI in the cloud is very different from that of BES Cyber Systems themselves in the cloud – and the latter simply has no good solution within the current CIP standards. The biggest problem is that so many of the CIP-003 through CIP-011 requirements would apply either to individual cloud employees or to individual cloud systems, and there must be documentation of every instance when a control was applied. There’s simply no way any cloud provider could ever provide the required evidence without breaking their business model.

I suppose that it might be possible to “solve” this problem by kind of “forking” the Measures sections of the requirements. In other words, there would be two ways an entity could demonstrate compliance with each requirement. One is to have the documentation currently required. To use the example of CIP-007 R2.2 compliance, this means evidence that, for every piece of software installed on any Medium or High impact BCS or PCA, the entity “contacted” the patch source to determine whether a new security patch has been issued in the last 35 days (and of course, this evidence needs to be available for every piece of software – in fact, every version of every piece of software used on a BCS or PCA - in scope, for every month of the audit period).

The other fork would be for the NERC entity to show that the cloud provider where the BCS was implemented has a FedRAMP certification, and beyond that, they have a passing grade (or whatever it’s called) for the FedRAMP requirement that “maps” to the CIP requirement in question.  Now, I want to ask you (and I request you answer honestly): If for example you have 1,000 pieces of software within your ESPs, would you find it easier to:

1.      Gather 1,000 pieces of evidence that you had contacted a patch source every month, with the result that you will need to have those 36,000 pieces of evidence all indexed and available for your next audit (which of course will be roughly 36 months after your last one) – and of course, woe betide you if you’re missing more than one or two of those 36,000 pieces of evidence (yea verily, great will be the weeping, wailing and gnashing of teeth of the poor souls condemned to this hell); or

2.      Just get the cloud provider to copy the section of their FedRAMP certification that shows they have in place controls somewhat similar to those in CIP-007 R2.2 (OK, so it might be a little more complicated than that. But certainly nothing like the first option)?

If you said number 2, I’m sure you’ll agree with 99.9% of the other readers – in fact, I’d seriously wonder about anyone who said item 1 might be easier (and remember, if FedRAMP were to be included in the CIP Measures in this way, it would only have been with the prior agreement of the major cloud providers that they would provide the required evidence. In fact, they could just provide it once to each Region, rather than make every entity in the Region obtain it and submit it. So this might even be a zero-effort option).

What will be the effect of changing the Measures section of each CIP requirement to include this FedRAMP “get out of jail free” card? You got it: as soon as it was clear these changes had been approved by FERC, just about every CIP entity with Medium or High impact BCS would be on the phone to their friendly neighborhood cloud provider, making arrangements to transfer as many of their BES Cyber Systems as possible into the cloud, probably the day after the implementation date for the revised standards.

And this, Dear Reader, is why I don’t think the idea of NERC simply waving its hands and declaring that FedRAMP certification is evidence for CIP compliance is really going to be successful. Sure it will enable those entities who already wanted to do this to move their BCS to the cloud. But it also would literally force all other entities to do their darndest to move their BCS to the cloud as well, whether or not they had security or other concerns about doing this. And believe it or not, this wouldn’t be good for the cybersecurity of the grid.

In other words, changing the CIP standards so that BCS can be installed in the cloud doesn’t have an easy solution. Two hard questions need to be addressed first:

1.      How can the CIP standards be rewritten so that they don’t require evidence based on individual instances of compliance – i.e. evidence that controls were applied for particular systems or for particular individuals? The point is that it won’t help to fix this problem for NERC entities that have BCS at cloud providers, but not at the same time for entities that aren’t inclined to pick up their BCS and move as many of possible into the cloud as soon as possible, without a full consideration of the risks. Unless you want to make the latter as hard-to-find as the passenger pigeon or dodo bird, of course. I gave some brief hints at the answer to this question in my previous post.

2.      Are there any serious cyber risks that apply to cloud providers, that aren’t addressed either by CIP or by FedRAMP (spoiler alert: I think the answer is yes, as discussed in this post, and this one)? If so, doesn’t that mean there might need to be some new CIP requirements before the Good Housekeeping Seal of Approval is bestowed on the cloud providers, FedRAMP or no FedRAMP?

I will discuss this second question in the next of the three posts in this series, coming soon to a blog near you.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

Are you wondering if you’ve forgotten something for the 10/1 deadline for CIP-013 compliance? This post describes three important tasks you need to make sure you address. I’ll be glad to discuss this with you as well – just email me and we’ll set up a time to talk.