Thoughts on FISMA, FedRAMP & Charting a Course to Federal SASE…
By Mark Russo, Chief Architect – Innovation & Strategic Development
Nov 2, 2023 | Originally Published on att.com – April, 2022
The CISO of your first-to-mind Federal agency, in striving to embrace cloud security via SASE, asks herself… “How exactly am I supposed to do this?”
In the Federal space, agencies really need to hear the words, ‘FedRAMP’ for cloud-based platforms and/or ‘FISMA’ for holistic managed service solutions – the latter of which, when truly turn-key, will encompass Service Delivery (edge location device installations and turn-up), Service Assurance (‘Day 2’ monitoring and management operations), and Break/Fix (maintenance activities) as needed; many of these items will require human visits to agency sites from vetted/trusted staff.
Secure Access Service Edge (SASE) was put forth by Gartner in 2019, and we’re all trying our best to get behind it. The five original Pillars: SD-WAN, FWaaS, ZTNA, CASB, and SWG. SASE began as a conceptual framework, and (at least in my experience), there are some facets that even today remain a bit ‘subject to interpretation.’
But one of the root tenets that comes through clearly: cloud platform and cloud service leverage.
Now, here’s where I’ll try my best to step into the shoes of that Federal CISO considering how to truly embrace SASE. To begin the journey. To Managed SASE. Today.
The first 3 questions I keep coming up with:
- Are there FedRAMP realizations of each of those 5 SASE Pillars out there… today?
- If so, and if they’re multi-vendor-realized, have they been certified to work together… today?
- And finally, what’s the FedRAMP footprint of these SASE Pillar Cloud POPs? (I need LOTS of POPs. In the ideal, I want a cloud POP [hosting each of those FedRAMP-blessed SASE Pillar capabilities] in the same city as every one of my Edge sites. Because consider the converse: If only two such FedRAMP SASE Cloud POPs exist, one in the ‘East’ and one in the ‘West,’ doesn’t that essentially just boil down having dual data centers??)
Our Federal CISO (still in my imagination, now sitting at her desk) thinks to herself, “Hmm… I need to dive deeper here.”
“What is it that’s going to set us down the Managed SASE path in a way that allows us to manage risk to our enterprise – building from solid foundations that can functionally scale forward? I need optimized, near-real-time adaptive network performance; I need security, and I need holistic monitoring, management, and maintenance for the entire platform.”
This is quite a lot to think about. So, let’s break it down.
(And I’ll keep using that italic text for my ‘thinking as the CISO’ mindset!’)
Let’s start with Gartner’s SASE Pillar 1 and nothing more for a moment: SD-WAN:
“I need edge devices at my sites, creating a near-real-time adaptive [policy-based] WAN overlay, and I need these from a vendor I know and trust. In addition? I’d love a known and trusted Managed Service Provider (MSP) to partner with us – overseeing our entire infrastructure in genuine, risk-sharing collaboration.”
The above exists today; AT&T as the (FISMA compliant) MSP in direct partnership with Cisco as the provider of select (FIPS 140-2 certified and TAA compliant) SD-WAN Edge devices.
And those CISO thoughts above convey exactly why AT&T built it: AT&T SD-WAN with Cisco – FISMA.
So, for Pillar 1 technically, operationally – and in alignment with Federal requirements (FISMA), there’s a path forward… right this minute.
“Awesome.”
For Pillars 2/3/4, let’s turn now to what I sometimes call the Proxy/Firewall Trio: SWG/FWaaS/CASB: These have always been interesting SASE concepts to me, because I’ve never quite fully understood why these services are best leveraged from any cloud environment – when they might one-day be implemented by the Edge devices themselves.
Consider this: Each enterprise has a physical footprint, comprised of every single edge site. And without “FedRAMP Pillar Cloud POP” presence in each Edge site city… is there any short-term advantage of leveraging cross-country hops to CSP FedRAMP realizations of these functional Pillars, if they can conceivably be done locally? Or even if they can be performed at existing, trusted enterprise data centers that have been invested-in and hardened for years??
No doubt, existing enterprise data centers are ‘less sexy’ than CSP-Based FedRAMP SaaS SASE Pillars.
But to take the consideration even further, imagine this… What if those SD-WAN [Pillar 1] edge devices, that run extensible operating systems, one day, opted to support these three functions? Via a software update?? If that were to happen, might this render the “FedRAMP Pillar Cloud POP Ubiquity” requirement for these Pillars as, perhaps… moot?
SASE is a journey; we all understand this. And as such, it needs to be achieved with pragmatic, risk-minimizing and testable/empirical prudence. Especially for our Federal agency partners.
So, our fictitious CISO’s view? Well…
“Unless I can be convinced of Cloud-based offerings that get me more security than leveraging my Edge devices (which are fully ‘ubiquitous’ relative to our enterprise edge ‘universe’) – I’m good with Pillar 1 (via my Cisco Edge devices) for now. Heck, I can even ask/task my MSP to manage our firewalls too – even if some are still appliance-based at present. We paid for those already, and they’re out there working for us right now. So, unless I discover I need more for these 3 Pillars this second, that I cannot get from my MSP or Edge devices, or even my existing ‘legacy’ data centers… I’m good on these fronts. For the moment.”
But wait – Am I totally disagreeing with Gartner?
Will lightning strike me down the next time I go out to get the mail??
Not disagreeing with the vision – it’s a wonderful aspirational vision, and we’re all striving to align. But pragmatics nearly always dictate the roads we travel to reach our destinations.
Let’s look at the current landscape – where are agencies likely starting from? Each has an embedded base: sites, hardware, software, expert staffing, operational [NOC/SOC] processes and oversight – all of which has taken years (or decades) to achieve the present functional maturity. There’s almost surely inefficiency to address and optimize, but it may not be 100% clear ‘how exactly’ certain things are working today due to the long history of enterprise evolution; some (or many) of the original designers are no longer with their organization – they’ve moved on or retired. In short, there’s inherent agency risk here.
Couple that, now, with modernization considerations: We have vendor product marketing claims for SASE-aligned capabilities that we need to validate and test. We have inter-vendor compatibility risks to address in consideration of heterogeneous (multi-vendor) environments – which are complex right out of the gate, but then even more-so as each vendor’s capabilities evolve forward. Might something that we can prove works today, then… ‘break’ tomorrow?
Tricky.
But we’re not finished yet – there’s another Gartner Pillar. And it’s a really important one…
Pillar 5: Zero Trust Network Access (ZTNA):
What’s wonderful about ZTNA is that there’s a detailed NIST document that focuses on it squarely: Special Publication (SP) 800-207, “Zero Trust Architecture.” ZTNA, as I see it – is about user and application-level authentication and authorization. The functionality, to me, kind of boils down to ‘inspection’ of data transactions based on designated security policy. Please focus on that word, ‘inspection.’ Because here again – I’m going to have to raise, for Federal agencies, my “Cloud Pillar [Limited] FedRAMP Ubiquity” red flag.
Consider this view now: A Federal enterprise exists today. It has dual data centers and many edge sites; let’s say there are 100 edge sites. (Some have thousands. One of the largest USG enterprises I know has close to 30,000 sites.) And I now need to inspect every single transaction via CSP-based SaaS applications that need to realize a NIST-aligned Zero Trust capability – that’s been… FedRAMP’d.
Let’s go to our CISO:
“My head just exploded. If I must take, now, every single one of my flows to be inspected at remote sites, I want them to be MY sites. Or sites deeply under the control of my closest long-term, trusted partners who share the management risk with me. Especially if the access is to my most sensitive, mission-critical applications that I choose not to host (or simply cannot host) in cloud-based platforms. For access to applications spun up within CSP environments already – maybe, yes. But show me the use cases, and we’ll work toward a holistic phased plan from there. I might need some Advil first, though.”
(She probably wouldn’t say that last sentence out loud. I would, though.)
This seems like a good place to step back now.
We’ve had some fun with our fictitious CISO discussion, but the root question remains…
How then might Federal Agencies best begin their journey toward Managed SASE?
The best course to Managed SASE may currently be a bit uncharted, as I see it.
Perhaps even more so when considering multi-vendor, heterogenous environments.
And especially for Federal agencies, as they must contend with FISMA and FedRAMP laws and needs.
I believe the path forward needs to start on solid ground – and needs to progress forward one very-careful step at a time.
And with this mindset, I’ll offer three initial steps to consider:
Step 1: Plan a transition to SD-WAN-enabled edge devices (via a trusted vendor planning ongoing capability uplifts), managed via a trusted MSP that has FISMA infrastructure (people/process/tools) audited and in-pocket already. This all exists today. Via Cisco and AT&T. AT&T SD-WAN with Cisco – FISMA.
Step 2: For the other 4 SASE Pillars, start planning by looking at a) what you can get from your existing data centers and from your trusted MSP’s data centers. And in parallel b) assess the FedRAMP ubiquity of those same capabilities relative to your enterprise edge footprint.
Step 3: Develop a business plan to anticipate the ‘cross over’ point. Will there be a certain level of ‘FedRAMP Ubiquity’ (relative to your specific enterprise footprint) when those 4 SASE Pillars beyond SD-WAN make business and technical sense to achieve from CSP-based FedRAMP Pillars?
For me though, if I was in that CISO role today, what would I do this minute? I’d keep it simple.
I’d start with Step 1.