The government wants you to be FedRAMP authorized! Cloud computing has become an essential part of the federal government’s IT strategy, and is dependent on having access to the latest, most innovative solutions from private industry. However, cloud computing also poses significant security risks, as federal data and systems are exposed to new threats and vulnerabilities in the cloud environment.
To address these challenges, the Federal Risk and Authorization Management Program (FedRAMP) was established in 2011 to promote the adoption of secure cloud services across the U.S. government. FedRAMP promotes technology adoption by providing a common security framework, making it possible to reuse authorizations across multiple agencies and departments.
Any organization wishing to offer cloud-based products or services to the U.S. government must be FedRAMP authorized. FedRAMP authorization consists of demonstrating that all required security controls are in place and operational. The authorization process involves application/infrastructure preparation, assessment and authorization. After receiving the Authority to Operate (ATO), you are required to perform continuous monitoring, monthly reporting, and yearly audits to maintain your authorized status.
The most important player is you – the enterprise wishing to offer cloud products or services, referred to as a Cloud Service Provider (CSP). CSPs are the developers of Cloud Service Offerings (CSOs).
Next come your Third-Party Assessment Organization (3PAO) and FedRAMP advisor(s). The 3PAO must be accredited by FedRAMP, and performs the Readiness Assessment Report, Full Security Assessment and yearly audits. Individuals and organizations performing FedRAMP advisory services must be independent from the 3PAO and can provide you the knowledge and assistance to help you through the FedRAMP process.
On the federal government side, the Joint Authorization Board (JAB) is the primary governing body of FedRAMP consisting of members from the DoD, DHS, and GSA. They work together with Sponsoring Agencies and the FedRAMP Program Management Office (PMO) to review the CSP’s total security package and decide whether a new product or service represents acceptable risks and can be authorized.
Paths to FedRAMP Authorization
There are two primary approaches to obtaining a FedRAMP authorization:
Agency Process – working directly with a federal agency who has agreed to sponsor your application and assist you through the entire process. Successful completion results in the Authority to Operate (ATO) and that agency’s ability to use your product.
JAB Process – working with the JAB enables you to receive a Provisional Authority to Operate (P-ATO). Individual agencies can then utilize this authorization and associated security package to issue their own ATO.
Organizations wishing to become FedRAMP compliant without an agency sponsor or JAB selection can still advance through the preparation and audit phases, achieving a status of “FedRAMP Ready” and being listed in the FedRAMP Marketplace. When selected by a Federal Agency, the organization then completes the final assessment and authorization steps to obtain ATO.
FedRAMP Phases & Their Activities
00 Selection: This is not an “official” FedRAMP phase, but pre-execution planning, expectation setting, and partner selection are critical to success. Before ever starting to customize code or document compliance processes, you’ll want to develop a business case which includes estimated timelines and costs, as well as deciding your sponsorship route and selecting your FedRAMP advisory and auditing partners.
01 Preparation: This stage is where the bulk of the customization and documentation occurs, aligning your SaaS product or service with FedRAMP’s exacting compliance standards. Your entire application and support environment must be rebuilt within an approved GovCloud system, with all components and processes verified for FedRAMP compliance. Major milestones in this phase are the creation of the System Security Plan (SSP) and the 3PAO’s Readiness Assessment Report (RAR).
02 Authorization: There are two steps to the FedRAMP authorization phase: assessment and approval. First, your Third-party Assessment Organization (3PAO) conducts a full, independent audit of your systems, System Security Plan (SSP), and other factors. They generate a Security Assessment Report (SAR) with the results. Then your sponsoring agency and FedRAMP PMO, or the Joint Authorization Board (JAB), review the results, request additional information and remediation, and make a final review. Upon successful completion, you are listed in the FedRAMP Marketplace with the Designation of “Authorized”!
03 Continuous Monitoring: Your FedRAMP Authorization is conditional upon you maintaining – and demonstrating – continuous FedRAMP compliance. You must maintain ongoing infrastructure monitoring and vulnerability scans. Results are documented in a monthly Plan of Action and Milestones (POA&M) report, which provides a roadmap for addressing vulnerabilities and improving the overall security posture of the organization. Yearly audits conducted by your 3PAO must also be performed.
Anitian Is Your FedRAMP Expert