How to Be FedRAMP Compliant with Okta
Government agencies are often responsible for storing key information about their citizens, making security a critical focus area when it comes to working with cloud service providers.
The Federal Risk and Authorization Management Program (FedRAMP) is an assessment and authorization process used by US government agencies to ensure proper security controls are implemented when adopting cloud solutions. So, if your company is interested in selling cloud products or services to federal agencies, you must first meet a number of security requirements and implement baseline security controls in order to receive FedRAMP authorization.
In my previous posts on FedRAMP compliance, I discussed:
In this post, we’ll discuss how you can configure Okta for FedRAMP compliance.
Challenge: Meeting compliance standards
Getting FedRAMP’s seal of approval is no easy task. Each impact level (Low, Moderate, FedRAMP+, and High) has its own list of security controls you’re required to meet and then continuously monitor.
The process of mapping, implementing, and documenting security controls can take anywhere between 12 to 24 months, depending on the state of your company’s existing information security control infrastructure. Fortunately, as mentioned in my last post, you can leverage a FedRAMP authorized cloud service operator (CSO) like Okta to meet certain FedRAMP controls via inheritance and shorten the time it takes to obtain your own Authority to Operate (ATO).
Inheriting Okta’s controls eliminates redundant validation of compliance. In other words, your company doesn’t have to be reassessed or provide information about how Okta is performing, as that information is found in its System Security Plan (SSP). Okta is currently classified as a FedRAMP Moderate or IL2 (impact level 2) CSO, and is working towards getting its FedRAMP+ classification (IL4).
That said, it’s not enough to just inherit Okta’s controls to meet your FedRAMP requirements. Your Okta org needs to be configured in a specific way to maintain FedRAMP compliance.
So where do I start?
In order to take advantage of Okta’s ATO and ensure your own FedRAMP compliance, you need to go through FedRAMP controls individually and see how they may apply to the settings in your Okta org. For instance, if you inherit Okta’s IA-2 controls (Multi-Factor Authentication (MFA) or Okta Verify), you need to configure them correctly within the Okta Admin panel. This includes creating a rule for password complexity requirements and then assigning it to the group(s) in FedRAMP scope.
We have summarized these controls and settings in our Configuring Okta for FedRAMP Compliance whitepaper to demonstrate a minimum bar at which you can meet FedRAMP requirements.
But before you start configuring your Okta org you should review and take necessary actions on the following:
SIEM configuration for monitoring: Configure your SIEM to consume the Okta logs to ensure monitoring is sufficient for your regulated environment.
Okta basic settings:
- Set up unique usernames for all users.
- When setting up MFA, ensure your methods meet FedRAMP requirements and are FIPS validated. The following are viable options: Okta Verify, FIPS-validated MFA/U2F keys, PIV/CAC credentials, and other FIPS-validated authenticators.
- Keep in mind that you are responsible for ensuring the registration process to receive all hardware and biometric authenticators be conducted in person and with an organization-defined registration authority.
Document security policies: Ensure your policies and procedures around account creation, modification, deletion of all user identification and authentication credentials, as well as roles and groups are written to include Okta.
Okta and Okta Verify meet FICAM (also known as NIST 800-63-3) requirements as follows:
- IAL: Okta does not verify identity verification; complying with level 1, 2, or 3 is the customer’s responsibility
- AAL: Okta with Okta Verify is level 3 compliant
- FAL: Okta is level 2 compliant
Leveraging Okta reduces the number of controls you have to complete in-house to become FedRAMP compliant. This means significantly less grunt work for your staff, allowing them to focus more on their core competencies and the business' core offerings.
And because Okta provides a detailed list of controls and settings required to meet FedRAMP Moderate or FedRAMP+, you can ensure that there will be fewer errors as you configure the settings in your Okta org and a reduced risk of missing a setting.
In my next blog post in this series, I discuss How to Protect IL4 Data with Okta. For more information on the topic of FedRAMP, see out the resources below: