This blog was written by a third party author
The Federal Risk and Authorization Management Program (FedRAMP) is a compliance program established by the US government that sets a baseline for cloud products and services regarding their approach to authorization, security assessment, and continuous monitoring.
The program’s governing bodies include the Office of Management and Budget (OMB), US Department of Homeland Security (DHS), National Institutes of Standards & Technology (NIST), US General Services Administration (GSA), US Department of Defense (DoD), and the Federal Chief Information Officers (CIO) Council.
Any cloud service providers that wish to offer products and services to the US government must establish FedRAMP compliance. Applying the NIST Special Publication 800 series as a baseline, FedRAMP requires cloud service providers to undergo an independent security assessment conducted by a third-party assessment organization (3PAO) to ensure authorizations comply with the Federal Information Security Management Act (FISMA).
Note: The foundations of FedRAMP involve a significant number of acronyms, and as much as we tried to keep them to a minimum, they’re an essential part of the story.
FedRAMP was established to:
- Ensure that cloud systems used by government agencies have adequate safeguards in place
- Eliminate duplication efforts and reduce risk management costs
- Enable cost-effective and rapid government procurement of cloud services
The goals for FedRAMP (according to FedRAMP.gov) are:
- Advancing the adoption of secure cloud solutions through reuse of assessments and authorizations
- Improving confidence in the security of cloud solutions and security assessments
- Achieving consistency of security authorizations with a set of agreed-upon standards for cloud product approval, in or outside of the program
- Ensuring consistency in the application of existing security practices
- Increasing automation and near real-time data for continuous monitoring
Requirements for FedRAMP certification
One of the most critical factors for successful government adoption of cloud computing is verifying that essential security controls are executed on any cloud solution that stores, processes, and transmits government data. With FedRAMP, cloud systems must also meet the security levels and needs for protecting government data as verified by 3PAO audit.
The FedRAMP requirements apply to cloud service providers (CSP) and cloud service offerings (CSO). Depending on the application, the two acronyms (CSPs and CSOs) are used interchangeably.
Other important FedRAMP acronyms include the authority to operate (ATO) and the FedRAMP Program Management Office (PMO).
Reviewing the mandates for CSPs
CSPs must prove that they meet FedRAMP compliance requirements before a federal agency can use them. The authorization mechanism is called the FedRAMP Authority to Operate (ATO).
How the cloud service provider is authorized can be a significant decision for any CSP planning to offer products and services to federal agencies.
There are two methods for obtaining a FedRAMP Authorization to Operate (ATO): directly from a government agency or the Joint Authorization Board (JAB). The latter authorization is known as FedRAMP Provisional Authorization to Operate (P-ATO).
Achieving a P-ATO is a more stringent process that is only available after a CSP has achieved several individual Agency ATOs. It requires assessment and approval by the by the Joint Authorization Board (JAB) comprised of the Department of Homeland Security (DHS), Department of Defense (DoD) and the General Services Administration (GSA).
CSPs must achieve the following high-level requirements for FedRAMP certification, authorization, and compliance by the PMO:
- The cloud service provider (CSP) has been granted an authority to operate (ATO) either through an Agency ATO (US federal agency) or a Provisional ATO (P-ATO)
- The CSP meets the FedRAMP security control requirements as described in the NIST 800-53, Rev. 4 security control baseline for moderate or high impact levels.
- The required FedRAMP templates must be used for all system security packages.
- The CSP must undergo an assessment by a third-party assessment organization (3PAO).
- The completed security assessment package must be posted in the FedRAMP secure repository.
Types of organizations that will require a FedRAMP approved security provider
Any organization wishing to offer their cloud-based Infrastructure-as-a-Service (IaaS), Platform as a Service (PaaS), and Software-as-a-Service (SaaS) applications and services to a U.S. government agency must demonstrate that its systems are FedRAMP compliant. As a matter of fact, every federal government contract actually includes specific FedRAMP requirement language.
It’s imperative that your organization understands as much about the FedRAMP authorization process as possible and realizes that the process requires a lot of work.
If you’re working towards FedRAMP compliance, there are two critical steps to follow:
- Make sure you possess a system that is fully built and functional, incorporating the CIA Triad information security principles of Confidentiality, Integrity, and Availability.
- Ensure a leadership team is in place that is fully committed and bought into the process.
Generally, the types of organizations that will require a FedRAMP approved security provider would be most federal government agencies as well as organizations that work with the government, like defense contractors (Lockheed Martin, Raytheon, etc.).
Finally, for organizations with advanced security requirements and especially those that must comply with FedRAMP, it’s crucial to work specifically with security vendors that are FedRAMP compliant themselves.
While this article has covered the basics, any organization seriously considering FedRAMP certification will need more specifics. For much more information and detail about FedRAMP compliance, Amazon Web Services has a great FAQ here, and the FedRAMP site has a list of important documents here.