How to Pass a FedRAMP Audit for SaaS Providers: Part 2
In our last blog post How to Pass a FedRAMP Audit for SaaS Providers: Part 1 , we looked at what FedRAMP is and why it matters for SaaS providers. We also discussed a success story with one publicly traded Teleport SaaS customer who used Teleport to pass their FedRAMP audit.
In this blog post, we will look at the specific controls you need to implement in order to pass your FedRAMP audit. As a reminder, the foundational document governing FedRAMP requirements is called FedRAMP Security Assessment Framework (SAF). This high-level document covers the process of becoming FedRAMP- compliant, but the technical details of “getting everything right” are described in the publication Security and Privacy Controls for Federal Information Systems and Organizations maintained by the National Institute of Standards and Technology (NIST).
Before preparing for your FedRAMP Audit, you will need to know what level of certification you are going after. FedRAMP categorizes levels of impact as Low, Moderate, and High.
“Cloud Service Offerings (CSOs) are categorized into one of three impact levels: Low, Moderate, and High; and across three security objectives: - - Confidentiality, Integrity, and Availability.
- Confidentiality: Information access and disclosure includes means for protecting personal privacy and proprietary information.
- Integrity: Stored information is sufficiently guarded against modification or destruction.
- Availability: Ensuring timely and reliable access to information.
FedRAMP currently authorizes CSOs at the: Low, Moderate, and High impact levels.”
Most often, when organizations talk about FedRAMP compliance, they are going after Moderate or High. There are currently 325 controls to meet FedRAMP Moderate and 421 to meet FedRAMP High. You can find a complete list on the FedRAMP website. Many of these controls don’t relate to infrastructure access. For those, you will need to work with your team to determine the correct process. For your infrastructure access requirements, there is Teleport.
FedRAMP compliance for infrastructure
The table below connects Teleport features to FedRAMP requirements. It previews how to tighten controls for Linux & Windows servers, databases, Kubernetes clusters, and internal applications like CI/CD environments when preparing for FedRAMP audits.
|AC-03 Access Enforcement||Teleport Enterprise supports robust Role-based Access Controls (RBAC) to:
• Control which SSH nodes a user can or cannot access.
• Control cluster-level configuration (session recording, configuration, etc.)
• Control which UNIX logins a user is allowed to use when logging into a server.
|AC-10 Concurrent Session Control||Teleport administrators can define concurrent session limits using Teleport’s RBAC.|
|AC-17 Remote Access||Teleport administrators create users with configurable roles that can be used to allow or deny access to system resources.|
|AC-20 Use of External Information Systems||Teleport supports connecting multiple independent clusters using a feature called Trusted Clusters. When allowing access from one cluster to another, roles are mapped according to a pre-defined relationship of the scope of access.|
|AU-03 Audit and Accountability – Content of Audit Records and AU-12 Audit Generation||
Teleport contains an Audit Log that records cluster-wide events such as:
• Failed login attempts.
• Commands that were executed (SSH “exec” commands).
• Ports that were forwarded.
• File transfers that were initiated.
|AU-10 Non-Repudiation||Teleport audit logging supports both events as well as audit of an entire SSH session. For non-repudiation purposes a full session can be replayed back and viewed.|
|CM-08 Information System Component Inventory||Teleport maintains a live list of all nodes within a cluster. This node list can be queried by users (who see a subset they have access to) and administrators any time.|
|IA-03 Device Identification and Authentication||Teleport requires valid x509 or SSH certificates issued by a Teleport Certificate Authority (CA) to establish a network connection for device-to-device network connection between Teleport components.|
|SC-12 Cryptographic Key Establish and Management||Teleport initializes cryptographic keys that act as a Certificate Authority (CA) to further issue x509 and SSH certificates. SSH and x509 user certificates that are issued are signed by the CA and are (by default) short-lived. SSH host certificates are also signed by the CA and rotated automatically (a manual force rotation can also be performed).
Teleport Enterprise builds against a FIPS 140-2 compliant library (BoringCrypto) is available.
In addition, when Teleport Enterprise is in FedRAMP/FIPS 140-2 mode, Teleport will only start and use FIPS 140-2 compliant cryptography.
|AC-2 Account Management||Audit events are emitted in the auth server when a user is created, updated, deleted, locked or unlocked.|
|AC-2 (12) Account Management||At the close of a connection the total data transmitted and received is emitted to the Audit Log.|
Teleport Enterprise customers can download the custom FIPS package from the Dashboard. Look for
Linux 64-bit (FedRAMP/FIPS). RPM and DEB packages are also available.
Note that not all relevant NIST requirements are listed above. Contact to schedule a FedRAMP deep-dive with one of our deeply technical Solution Engineers or learn more by downloading our How-to Guide to FedRAMP Compliance for SaaS Providers whitepaper.