FedRAMP Audit Logging [Best Practices, Solutions, and Tips]
If you are working in the federal space, then you and your service vendors must be FedRAMP compliant, and that means maintaining audit logs. These audit logs can be expensive and time-consuming but are mandatory to maintain compliance.
So why are audit logs important for FedRAMP compliance? Audit logs help companies demonstrate their compliance during audits to both regulatory bodies and customers. Audit logs can also help with fact-finding during forensic investigations after incidents.
What Is FedRAMP and Why Are Audit Logs Important?
FedRAMP is a federal compliance framework that specifically addresses security for cloud providers working with federal agencies. Under this definition, “cloud service providers” (CSPs) can represent a large swath of different companies with different services tied to cloud technology, including storage or Software-as-a-Service (SaaS) applications.
A critical part of FedRAMP compliance is auditing. CSPs undergo audits through a third-party security company, called the Third-Party Assessment Organization (3PAO). 3PAOs are certified organizations that know FedRAMP requirements and work with CSPs during their entire compliance journey.
An important role of 3PAOs is the testing, auditing, and assessment of their CSP partners to ensure three things (depending on where they are in the journey):
- That the CSP is fit to undergo the certification process (FedRAMP Ready)
- That the CSP has successfully undergone testing and audits to attest to their certification (called the Authorized to Operate designation or ATO)
- That the CSP continues to maintain compliance after certification (Continuing Maintenance)
Additionally, audit logs are a necessary part of FedRAMP continued maintenance: Not only must a CSP keep logs on events like user access, breaches, or other items related to data, but they must demonstrate their ability to do so at different scopes and scales, depending on the data they handle.
At all junctures of this journey, FedRAMP regulations require 3PAOs to create a detailed landscape of the changes, updates, and implementations of security controls. And, if you are working with federal agencies, any CSP or service provider you partner with for services must meet these minimum requirements, including FedRAMP auditing.
CSPs typically share the ongoing 3PAO reporting and audits with customers, thus assuring them of a continuous cyber risk management strategy.
How Can I Create, Maintain, and Secure Audit Logs?
There isn’t a “one-size-fits-all” audit solution for any company, and the requirements for logging will differ based on the controls required.
What is a FedRAMP security control? NIST SP 800-53 defines a series of security controls that a CSP must adopt to demonstrate their compliance. When you work with a vendor that’s FedRAMP compliant, they will advertise at the impact level for which they are authorized.
These controls are broadly applied to systems, and not all partners must implement all functionality. However, many of these features are important parts of security, and cloud providers often include them no matter what work they do. In fact, it is a testament to their trustworthiness if your provider can speak to their advanced capabilities above and beyond the bare impact requirements.
For example, there are several ways to create “non-repudiation” in a system. Non-repudiation is the requirement that audit logs are indisputably tied to a user or event so that the user cannot deny that it is correct. This typically involves some method of ensuring that a log has not been tampered with after creation.
Some of these methods are more effective than others. Some use a digital hash signature that shows that the file hasn’t been tampered with—a method that has limited effectiveness and requires the use of hash keys to be effective. This method also doesn’t necessarily help guarantee that logs are not missing from an audit trail. Some providers are using new blockchain technology as a method of non-repudiation.
In this specific case, it would be up to the CSP, in consultation with their 3PAO, to determine that a method of non-repudiation in logs is secure, effective, and falls within the scope of FedRAMP regulations.
That said, partner vendors should be able to speak about their auditing methods along the lines of some basic features. These include:
- Create logs that contain enough data to be useful for auditing purposes. This includes items like data and time, event records, system state, user access, and other information.
- Automate log generation, backup, and security. While it might seem obvious that a system should automatically generate logs, CSPs should also have redundancy plans for logs that are secure and reliable.
- Utilize an effective chain of evidence to ensure integrity. Whether hashes, blockchains, or some other tool, there should always be some security measure in place to guarantee the integrity of an audit trail.
- Understand your vendor’s FedRAMP Impact Level. FedRAMP, through the Federal Information Processing Standards (FIPS) publication, divides data impact levels into Low, Moderate, and High, depending on the privacy required for the data and the potential damage that could occur if it were compromised.
Kiteworks Automated Compliance Logging
The Kiteworks platform is a Low and Moderate Impact provider of managed file transfer (MFT) and SFTP for FedRAMP, file storage, and secure email tools for FedRAMP that brings enterprise-grade innovation to the federal space. Kiteworks provides capabilities in the following areas:
- Security: Kiteworks employs a defense-in-depth approach consisting of comprehensive encryption for sensitive data in motion and at rest, an embedded and optimized network firewall and web application firewall (WAF), anti-malware technology, multiple layers of server hardening, zero-trust communications between internal services and cluster nodes, and internal tripwires. Kiteworks enables organizations to share and transfer sensitive files through various channels, whether secure file sharing, encrypted email, SFTP, managed file transfer, web forms, or application programming interfaces (APIs). Administrators use role-based controls to enforce security and compliance policies and to configure simple connections to security infrastructure components such as MFA. Kiteworks customers stay up to date on the latest patches with single-click updates, just as they do when using their smartphones.
- Compliance: If you are a provider or agency working with or in the federal government, then you can utilize Kiteworks, which is compliant with numerous federal standards such as the Cybersecurity Maturity Model Certification (CMMC), NIST 800-171, among others. Kiteworks also is FedRAMP Authorized for FedRAMP Low and Moderate Impact, including controls for important security areas like Access Control, System and Information Integrity, and Auditing and Accountability.
- Governance and visibility: Kiteworks generates, stores, and secures FedRAMP-compliant logs, while providing extensive governance and comprehensive visibility via the CISO Dashboard. The former includes the ability to enforce geofencing by setting block-lists and allow-lists for IP address ranges, configuration to store user data only in their home country, audit trails for compliance reporting, reporting on what files have passed or failed antivirus, data loss prevention, and advanced threat protection. The CISO Dashboard monitors system access, data transfers, and potential breaches in real time. It automatically alerts on potential breach events such as internal tripwires and suspicious data transfer scenarios. And for those organizations seeking to consolidate information on sensitive content sends, shares, and transfers, Kiteworks’ hardened server enforces immutable logging and automatically forwards logs to your security information and event management (SIEM) system.
- Private cloud: For additional security, each Kiteworks customer is deployed on a private cloud environment, meaning they are the only tenant on your cloud server and thus their data and metadata are not intermingled with that of other Kiteworks customers. Finally, each Kiteworks private cloud is deployed in its own Amazon Web Services (AWS) Virtual Private Cloud (VPC); your infrastructure is not shared with other AWS or Kiteworks customers.
The Kiteworks platform includes advanced security features like SOC 2 attestation, separate virtual cloud systems, extensive reporting with annual audits and continuous testing, and an immutable audit trail to ensure security and compliance.
[White Paper] How to Secure Content Communications for CMMC 2.0
[Blog Post] How to Use MFT With FedRAMP Compliance