Full Report
Compliance shouldn't mean a standstill for innovation. The first of our four-part series explores how Wiz quickly reached FedRAMP High through a "risk-first" philosophy. In parts 2-4 we’ll explore how Wiz helps with FedRAMP requirements through proactive, preventative, and reactive risk management.
Analysis Summary
# Regulation/Compliance: FedRAMP High Authorization
## Overview
The Federal Risk and Authorization Management Program (FedRAMP) is a United States government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The "High" baseline is the most rigorous level of FedRAMP, intended for systems where the loss of confidentiality, integrity, or availability could have severe or catastrophic adverse effects on organizational operations, assets, or individuals.
## Key Details
- **Issuing Authority:** FedRAMP Management Office (PMO) / Joint Authorization Board (JAB)
- **Effective Date:** In Effect (Ongoing program)
- **Jurisdiction:** United States Federal Government agencies and Cloud Service Providers (CSPs) serving them.
- **Status:** In Effect
## Requirements
### Mandatory Requirements
1. **Security Control Implementation:** Adherence to NIST SP 800-53 Rev. 5 controls (approximately 400+ controls for the High baseline).
2. **Continuous Monitoring (ConMon):** Monthly reporting on the security posture of the environment.
3. **Boundary Definition:** Explicitly defining the Authorization Boundary to include all components that process, store, or transmit federal data.
4. **Inventory Management (CM-8):** Maintaining a complete, up-to-date, and accurate inventory of all assets.
5. **Vulnerability Management:** Identifying and remediating vulnerabilities based on federal timelines (e.g., 30 days for High-severity vulnerabilities).
### Recommended Practices
1. **Risk-First Philosophy:** Prioritizing "toxic combinations" of risks (identities, misconfigurations, vulnerabilities) rather than manual checklist completion.
2. **Automation:** Utilizing automated tools for asset discovery and compliance reporting to reduce manual labor.
3. **Shift-Left Security:** Integrating risk assessment early in the software development lifecycle (SDLC) to prevent risks from reaching production.
## Affected Organizations
- **Industries:** Cloud Service Providers (SaaS, PaaS, IaaS) and Third-Party Assessment Organizations (3PAOs).
- **Organization Size:** Applicable to all sizes; however, the High baseline typically requires significant resource investment.
- **Geographic Scope:** Global CSPs wishing to store or process U.S. Federal Government data.
## Compliance Timeline
*Note: Timelines vary by CSP; the Wiz case study emphasizes an "Agile" acceleration.*
- **Ready Phase:** CSP is "FedRAMP Ready" (Readiness Assessment Report approved).
- **In-Process Phase:** CSP is working with an agency or the JAB for authorization.
- **Authorized:** Full Authority to Operate (ATO) granted.
- **Monthly/Annual:** Recurring continuous monitoring and annual assessments required.
## Implementation Guidance
### Assessment Phase
- **Gap Analysis:** Evaluate current security controls against the NIST 800-53 High baseline.
- **Context Discovery:** Automate visibility to understand the "blast radius" of current identities and technologies.
### Implementation Phase
- **Secure by Design:** Implement preventative risk management by blocking insecure code via developer-level assessment.
- **Remediation:** Address "toxic combinations" (e.g., overprivileged identities paired with public-facing vulnerabilities).
### Validation Phase
- **Continuous Audit:** Move from snapshot-in-time audits to persistent, automated monitoring of controls.
- **Third-Party Assessment:** Engage a 3PAO to verify the effectiveness of implemented controls.
## Technical Requirements
- **Cloud-Native Protection:** Use of CNAPP (Cloud-Native Application Protection Platforms) to automate asset inventory (CM-8).
- **Identity & Access Management:** Strict enforcement of Access Control (AC) families.
- **Context-Driven Response:** Augmenting incident response (IR) with cloud-specific context to filter noise and map root causes.
## Penalties & Enforcement
- **Fines:** Loss of federal contract revenue; potential legal liability under the False Claims Act if security posture is misrepresented.
- **Other Consequences:** Immediate suspension of Authorization to Operate (ATO), loss of reputation, and removal from the FedRAMP Marketplace.
- **Enforcement:** Enforced by the FedRAMP PMO, the JAB, and individual Agency Authorizing Officials (AOs).
## Related Standards
- **NIST SP 800-53 r5:** The primary framework for security and privacy controls.
- **NIST SP 800-37:** The Risk Management Framework (RMF) used to achieve authorization.
- **FIPS 199:** Standards for security categorization of federal information.
## Resources
- **Official Documentation:** [https://www[.]fedramp[.]gov]
- **Guidance Documents:** NIST SP 800-53 Revision 5 catalog.
- **Tools:** Wiz for Government (CNAPP), automated vulnerability scanners, and SIEM tools.
## Practical Recommendations
- **Avoid the "Checklist Trap":** Do not treat FedRAMP as a static exercise; focus on actual risk patterns to satisfy auditors more effectively.
- **Automate Asset Inventory:** Manual spreadsheets are insufficient for the High baseline; use agentless scanning for real-time visibility.
- **Connect Code to Cloud:** Link development risks to production impacts to streamline the "preventative" phase of compliance.