In exciting news, New Relic has obtained Federal Risk and Authorization Management Program (FedRAMP) Authority to Operate (ATO) with the U.S. Office of Management and Budget (OMB). The FedRAMP ATO enables New Relic to operate as a Cloud Service Provider (CSP) for systems operating at the FIPS 199 “Moderate” impact level. Read more about the certification in this post.
In this Q&A, we chat with Shaun Gordon, SVP and Chief Security Office of New Relic. Shaun is involved in all aspects of security at New Relic, including applications, infrastructure, networks, and even physical security.
In this post, we talk with Shaun about what FedRamp is, why it's important, and what it means for our customers, whether or not they work in the public sector.
About the FedRAMP ATO
New Relic: What exactly is FedRAMP, and what is the Authorization to Operate?
Shaun: The Authorization to Operate, or the ATO, means that we have been authorized to operate, or to be used, within a federal government agency.
So, in this case, for us, it happened to be at the OMB. At a broader level, basically what it means is that it's a process where a cloud service provider has been authorized to operate within a single agency.
There's a set of security controls that that provider has to implement, 325 controls or so. They implement them; they get audited against them; and then the agency reviews those. And finally, if they think they look good, you get approval.
Once you've got that approval, that agency can use that product as much as they want. In addition, other agencies can look at that approval process and decide whether they want to go through the same thing and leverage that in a lot of different ways.
New Relic: Do they then have to go through that same approval process, or they use the existing ATO?
Shaun: They can't actually use the existing ATO as it is, but they can leverage that. In the past, if one agency wanted to basically use a piece of software, or use a cloud service provider, they would have to figure out how to do a security review, decide if it was appropriate, document it, and if they accepted the risk, they could use it.
Now what can happen is that one agency goes through this FedRAMP process, and then if another agency wants to use that product, they can look at that and say, "Okay, this is what that agency did." They can look at the first ATO and the assessments submitted along with it, and if are satisfied with it they can then submit their own ATO and get it approved.
A lot of process for FedRAMP, but worth it
New Relic: So, what did New Relic get a FedRAMP ATO in exactly?
Shaun: Well, our sponsoring agency was OMB, and we got our authorization at a moderate level. There are really three levels that people can get authorized for. There's a low level, which basically means you're being used in an environment where there's only public information, information that's available elsewhere.
New Relic: And those security requirements would be less onerous in that situation.
Shaun: They're going to be much lower, yeah. We did moderate, which means that the data that we use, the data that we see, could cause a serious impact if breached or compromised, and it includes PII.
New Relic: PII is Personally Identifiable Information.
Shaun: Thank you, there you go. We as a company don't generally collect PII. We don't need it for our product to operate. However, we don't have publicly available information. So that puts us into that moderate category.
New Relic: Got it.
Shaun: There's also a high category, which basically means there could be very critical consequences if this data was leaked to the economy, that sort of thing. We generally aren't going to be used in those environments anyway. For the government, that's going to be some, you know, fairly secure things like defense contractors.
New Relic: Right. Are there different kinds of authorizations for different kinds of software or different kinds of cloud services. For example, is there a special APM ATO? Or is it general across any kind of software or service?
Shaun: For that particular level, it's going to be general across any sort of service. Everybody will go through the same process.
Now, one of the things that happens is this audit on this process, just like any other sort of security audit, there's always going to be some things that companies do differently.
And, at some point, somebody in the agency is going to look at what you're doing, how you're meeting that requirement, and make a decision based on how they're using you and on what type of product you have, as to whether or not it's acceptable in this use case.
So, although the process is the same, it is possible that for some cloud service providers, an agency might have different standards or different levels of standards than they would for others.
New Relic: Tell me about the 325 things that we had to check, and did we have to change things on our end to meet the requirements?
Shaun: We definitely had to make some changes. I mean, you can't go through a process like this and not have to do some things. But we don't want to drive our security program around compliance. We don't want to do things just because we need to be compliant. We've always said, "Let's do the right thing to make us secure, to make our customers' data secure." And we know that if we're doing the right things, compliance will follow.
It's still, however, a lot of paperwork and a lot of process. So, I don't want to say we didn't have to do anything, and this process took us, you know, almost two years to go through.
New Relic: Why so long?
Shaun: It's a long process. Generally, there's sort of three or four phases that you have to go through.
The first one is what they call sort of a readiness phase, where basically we have to put together your System Security Plan—an SSP. This is basically someone coming in and documenting all the ways that you are going to protect this data, and how you fulfill each of the 325 NITS controls as they are interpreted by the FedRAMP program.. For us, it's really just documenting formally a lot of the things we were already doing. Once that's done, then we have to engage another consultant; they call it a Third-Party Assessment Organization—a 3PAO.
And they come in and they do a couple of things. The first thing they do is create what we call a Security Assessment Plan—an SAP. And that's basically a plan is, how are they going to actually assess us against the system security plan that was created previously? Once they've done that, they actually go through and assess us. Which is basically an audit. We've gone through lots of audits. So, we actually have SOC 2 Type 2.
New Relic: You mentioned SOC 2. What does that stand for?
Shaun: It’s actually Service Organization Control. This is a standard audit or assessment that's done across the industry. And a lot of our customers, you know, our non-government customers, when they want to evaluate our security before they actually sign up, they'll ask us for some sort of audit report like a SOC 2. So, it's a standard that we provide.
New Relic: Those are the audits that they're looking at?
Shaun: Yes. We've been doing that for a long time. And that's been looking at a lot of the same controls. The real difference is that the FedRAMP controls, there's a lot more rigor. They're looking for a lot more documentation, a lot more process documents, that sort of thing. This is a government after all, so there has got to be lots of paperwork.
Although the controls are similar, the way we go about them is somewhat different. We have to go through that assessment, and they do that audit, and they find some things. Every time, you know, somebody does an audit, there's generally going to be some things that aren't quite meeting standards. We found about 20 items I think when we went through this.
New Relic: Out of the 325?
Shaun: Out of the 325. We were actually able to address about half of those while we were going through this process and ended up with about 10 outstanding items. And at that point, we had to go through the remediation. Basically, address each of those items.
And then finally, once they're all addressed, we think they're all at the right place, we then submit a package to the government that then they review and if they think it looks good, they'll approve it. And that's when we're ready to go and get our ATO.
FedRAMP compliance takes time
New Relic: And that takes months as well.
Shaun: And for us, one of the things that was really driving the length of this process is we had a couple of long pole items—things that were not quick to change, not necessarily things that we considered high-security risks, but things that just took time.
One example of that was we have a VPN, just like any other company. We have a VPN so that we can get to our data center. Our VPN didn't have a certain government certification, FIPS 140-2. That doesn't mean it wasn't secure, but it wasn't certified.
So, we had to put together a project to replace all those VPN devices.
New Relic: Got it. What does it mean that we've achieved FedRAMP ATO for us but also for our customers?
Shaun: I think for New Relic, it's a validation. For me personally, it's a validation that we have a solid security program in place. And it's not just me saying it to you. Somebody else from the outside has come in and validated that, "Yes, you are actually doing the right things, you're doing them well." It's just sort of a bar we can hold ourselves against.
The other way I've always looked at, you know, this audit as well as our SOC 2, other audits we do, is it's just really making sure there are no gaps. There's not something that I'm just not thinking about, that we're not thinking about. We're making sure we're covering all aspects of security. That’s sort of the internal-looking view of it.
For our customers, there's the obvious, which is now the government can easily use New Relic.
As I mentioned before, in the past, what would happen is each government agency would have to go through this long security review process to use New Relic. That's daunting. In a lot of cases, it's easier for them just not to do it.
Now, they can say, "Hey, look, New Relic has already been certified by this other agency. We know this is going to be easy, you know, we can use New Relic, it's not going to be a burden for us." There’s also the non-federal government customers as well.
Applicable to non-federal customers as well
New Relic: That's really interesting. I wanted to ask about that.
Shaun: For non-federal government customers, I think it does a few things.
A lot of people know this is a high bar, higher than the SOC 2 necessarily. I get on calls with customers quite often where they want to ask for our security controls and are basically looking for comfort that we're doing the right thing.
And by just mentioning that we went through the whole FedRAMP certification process, that provides them a lot of that peace of mind, because they know somebody with high criteria for security is looking at us. And one thing I should mention too, is that while this is going on, we have to get re-certified every year. They actually look at a third of the controls every year. So, every three years they look at all the controls again.
This isn't just a one time shot, we're going to have eyes on us continuously. We also have to continue reporting monthly to the federal government about the status of all this. Do we think these controls are still working? Have there been any changes in our stance? That provides these customers with that additional comfort.
The other thing is that FedRAMP is based around some standard controls that anybody can view. And a lot of other companies, as well as local governments, are starting to leverage those controls as well. Even if they don't need a service provider to be FedRAMP certified, they know that we've been certified to the certain set of controls that they do require.
Cloud service vendors all-in on FedRAMP
New Relic: Are there a lot of companies and cloud service vendors that have achieved ATO status in a variety of ways, or is this new and still in the process of validating cloud service providers as secure enough for government use?
Shaun: There is starting to be more and more that. This is actually all publicly-available information. FedRAMP has a site and you can go there now and lookup and see New Relic listed.
New Relic: Do you see this as the government starting to recognize that cloud services are secure enough for their purposes in ways that maybe that wasn't considered a few years ago?
Shaun: I guess I would look at it as they've recognized for a while that they need to use cloud services, just like the rest of the industry. And what this really does is lets them validate very quickly; lets these other agencies validate really quickly that, yes, these companies are secure, we can securely use the cloud.
New Relic: This is part of their modernization process, in a way.
Shaun: Absolutely, yeah.
New Relic: Are the rules different for cloud service providers as opposed to on-premise software vendors that, you know, you mentioned the 325 points in the audit and everything. Are those points different for a company like us versus a company that's maybe selling something on people's servers?
Shaun: Yeah. This process is definitely focused on the cloud service providers. That really is the idea.
New Relic: The whole FedRAMP program is?
Shaun: Yes, the FedRAMP program.
New Relic: Oh, okay, good to know. I don't think I understood that. With that in mind, Shaun, how would you characterize the government's adoption of modern cloud technologies and other sorts of modern technologies compared to the private sector right now?
Shaun: It's starting to feel to me that they're...You know, I guess my gut is that they are basically where the enterprise was a while ago...
New Relic: That's not so bad.
Shaun: When I started at New Relic, the enterprise was pretty hesitant to adopt cloud. It was an uphill battle for me in a lot of my security conversations. That doesn't happen anymore, right? The security conversations used to be about, "Can we use cloud securely at all?" Now the conversation is just about, "Show me that New Relic is secure."
And I feel that that's where the government is now, where we don't have to convince them anymore. The fact that we've got the FedRAMP program in place shows me that we don't have to convince them that the cloud can be secure. It's just about showing that New Relic, or a particular company, is secure.