The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide framework that created a standardized process for assessing, authorizing and continuously monitoring cloud services security. FedRAMP empowers the federal government to smoothly adopt cloud computing by producing consistent standards and processes for security authorizations and allowing agencies to utilize security authorizations across the board.
FedRAMP was released in 2012. Prior to FedRAMP, cloud services were forced to comply with different security requirements for each federal agency. FedRAMP eliminated this duplication by producing a common security framework. A cloud service offering is authorized once and then the security package can be used by any federal agency.
The FedRAMP framework includes two main entities: the Program Management Office (PMO) and the Joint Authorization Board (JAB). The JAB serves as the primary governance and decision-making body for FedRAMP.
FedRAMP includes 14 applicable laws and regulations, along with 19 standards and guidance documents.
A commercial cloud service offering (CSO) must demonstrate FedRAMP compliance before it can be used by a federal agency. FedRAMP compliance mandates implementation of the NIST 800-53 controls as well as the FedRAMP PMO requirements. Authorization is granted to the cloud service provider (CSP) through the provision of what is known as the FedRAMP Authority to Operate (ATO).
What are the requirements for FedRAMP Compliance?
FedRAMP authorizations for CSPs consists of two options:
- A Provisional Authority to Operate (P-ATO) through the JAB: A FedRAMP P-ATO is an initial JAB approval of the cloud provider’s authorization package. An Agency can use that approval to obtain an ATO for the acquisition and implementation of the cloud service within their Agency.
- An Agency Authority to Operate (ATO): A FedRAMP ATO is part of the Agency authorization process. Cloud services work directly with the Agency sponsor who then assesses the CSP’s security package. Once a security assessment is completed, the head of an Agency (or their designee) can grant an ATO.
No matter which type of authorization you pursue, FedRAMP authorization involves the following steps:
- Completion of all FedRAMP documentation* including the FedRAMP System Security Plan (SSP)
- Implementation of controls based on FIPS 199 categorization
- Assessment of commercial cloud offerings by a FedRAMP Third Party Assessment Organization (3PAO)
- Development of a Plan of Action and Milestones (POA&M)
- Earn JAB Provisional ATO (P-ATO) or Agency ATO. The provider can then be listed in the FedRAMP Marketplace.
- Establishment of a Continuous Monitoring (ConMon) program including monthly vulnerability scans
*In addition to the SSP, the other required documentation in the FedRAMP assessment package include but are not limited to: User Guides, Information Security Policies and Procedures, Configuration Management Plans, Contingency Plans, Incident Response Plans and Control Implementation Summary (CIS) and Worksheet.
Additionally, FedRAMP offers four impact levels for services with different kinds of risks. They’re based on the potential impacts of a security breach in the areas of confidentiality, integrity and availability (the CIA triad). To determine your organization’s impact level, you need to understand the different types of data your organization has access to and the different modes of protecting and securing that data. The higher levels include additional controls to adequately protect your data. The first three are based on FIPS 199 and the fourth is based on the NIST Special Publication (SP) 800-37. The impact levels are:
- Low Impact Security Level (125 controls): If you manage an information system which includes publicly available data, you only require the low security level baseline. In other words, if the data were to be compromised it would have low impact
- Moderate Impact Security Level (325 controls): If your data contains personally identifiable information (PII), the moderate security level baseline is the way to go. In other words, if this information system is compromised, it would have a serious impact
- High Impact Security Level (421 controls): If a hit to your information system would have severe impact on federal agencies, which could lead to economic crisis or financial ruin, the high security level baseline is a must
- Low-Impact Software-as-a-Service (LI-SaaS) 36 controls: This level is relevant for systems that are low risk and low cost for uses like collaboration tools, project management applications, and tools that help develop open-source code. This category is also known as FedRAMP Tailored
The FedRAMP approval process can take anywhere from six months to two years and can cost companies a pretty penny.
Why should you be FedRAMP compliant?
FedRAMP compliance is required for any CSP that stores federal data. As such, if your organization plans to work with the federal government, FedRAMP authorization should be your first step.
All FedRAMP-authorized CSPs are listed in the FedRAMP Marketplace. This has many benefits to your organization. When seeking a new vendor, government bodies will first check out the FedRAMP marketplace as starting an authorization process from scratch with a potential provider is lengthy, time consuming and difficult. Choosing a CSP from the marketplace guarantees working with an already authorized provider.
Furthermore, FedRAMP compliance can lead to more business opportunities in the private sector. Private-sector companies often take advantage of the public FedRAMP Marketplace when looking for vendors, as it ensures a secure cloud product.
FedRAMP compliance demonstrates an ongoing commitment in maintaining the highest security standards.
Additional compliance benefits include:
- Reduces repetitive documentation, inconsistencies and cost
- Increases the integration of secure cloud technologies by government agencies. Offers an enhanced framework by which the government can secure and authorize cloud products
- Builds and maintains strong partnerships with FedRAMP stakeholders
CSPs that choose not to comply with FedRAMP, risk losing all business in both the public and private sectors, as lack of authorization may be a deal-breaker.
How to achieve compliance?
Obtaining FedRAMP authorization is serious business. The level of security required is mandated by law. It’s one of the most rigorous SaaS certifications in the world and not a cheap one to boot.
Centraleyes has already done the hard work for you by creating a streamlined automated process for achieving full FedRAMP compliance. The Centraleyes platform helps determine your impact level and provides you with a custom questionnaire based on that.
In a single, centralized, smart interface, you can complete all the required FedRAMP documentation, and once authorized, your newly certified organization will be automatically uploaded to the FedRAMP Marketplace, joining the hundreds of already authorized CSPs.
Use Centraleyes for all your FedRAMP needs and requirements for the most efficient and cost-effective way to achieve FedRAMP compliance.
Links:
How to Become FedRAMP Authorized | FedRAMP.gov
FedRAMP Security Controls Baseline document