Federal Agencies Face Challenges Managing Cloud Security and Risk. SkyePoint and Caveonix Can Help.
As federal agencies move from a cloud-first approach to a cloud-smart one, it’s become increasingly clear that there is a surprising lack of visibility and auditability of the security controls used in various cloud environments. While this is problematic with one cloud platform when an agency has adopted a multi-cloud strategy, the issue of visibility and auditability is compounded.
FedRAMP-based systems offer a level of assurance to agencies, however, when SkyePoint reviews the ATO packages from several FedRAMP-based systems we continue to uncover gaps in controls or control evidence that could result in increased risk to the Agency. In particular, the recent changes to FedRAMP through H.R.8956, especially the 3613.(e) Presumption of Adequacy clause allows agencies to adopt FedRAMP-authorized tools without further review or validation by the Agency. While this rule provides a meaningful path for agencies to utilize FedRAMP-authorized tools, it also places additional burdens on agencies to ensure the systems are configured and implemented to best meet their risk tolerance and mission needs.
Combining Efforts with Cavenoix to Address Potential Security Risks
For over 14 years SkyePoint has supported the cybersecurity mission, Governance, Risk and Compliance (GRC), and continuous monitoring for our federal customers through the identification, analysis, detection, and implementation of cloud-based systems and risk-reduction controls. Our experience protecting agencies’ cloud infrastructure and auditing FedRAMP security packages for ATO recommendations has resulted in partnerships with organizations like Caveonix.
SkyePoint has partnered with Caveonix and their Caveonix Cloud capabilities to provide an integrated platform for hybrid multi-cloud security, compliance, and governance capabilities. Caveonix Cloud empowers ISSOs, Security Analysts, Independent Controls Assessors and Vulnerability management teams with a platform that automates and streamlines the RMF process. First, Caveonix Cloud empowers the system categorization process through a powerful and efficient asset discovery capability. Then, leveraging the latest NIST 800-53r5 controls, agencies are provided with a categorization-driven baseline that automatically inherits common controls, based on a scan and review of implemented controls. We then tailor the controls to agency-specific risk tolerances and mission requirements. Caveonix Cloud auto-populates templates using both standard and dynamic content and automates the completion of between 50% and 90% of initial ATO documentation.
Regarding independent assessments, the Caveonix Cloud platform provides automated assessment capabilities that reduce the burden on both ISSOs and ICAs for providing and reviewing/validating audit evidence. Additionally, the tool provides a forum for manual assessments of controls, including interviews and testing, then enables the creation of Risk Scores and audit dashboards that highlight the risk status of each system and the organization.
During the authorization phase, Caveonix Cloud provides audit reviews, ATO artifact submissions including SSP, SAR and POA&Ms and provides a means for digital signoff to simplify and streamline the ATO process.
The real strength of Caveonix Cloud lies in the tool’s ongoing assessment/continuous monitoring capabilities. With continuous asset inventory, automated assessments, third-party integrations, and near real-time automated remediation, agencies have a 360-degree view of the applications and infrastructure across the entire hybrid multi-cloud environment.
Interested in protecting your agency from cyber risks? Contact firstname.lastname@example.org today to start the conversation.