The Federal Risk and Authorization Management Program — FedRAMP for short — is the U.S. Federal Government’s strategy for encouraging federal agencies to adopt cloud computing practices, while minimizing risks to national security. It’s designed to help cloud service providers (CSPs) and federal agencies work together to develop tools that are secure and tailored to protect various types of data, from the lowest to the highest security classification. If you are a CSP seeking to work with the U.S. federal government in any capacity, you must demonstrate that you are FedRAMP compliant. FedRAMP authorization is a complex, multi-step process that takes time and careful planning to achieve — read on for our six tips for streamline that process and succeed in navigating FedRAMP compliance requirements.
What Is the Purpose of FedRAMP?
Data breaches are never a good thing — no company wants its users’ credit card data hacked or its patients’ health records leaked. When it comes to the federal government, however, a data breach can have more dire consequences than identity theft or lost reputation — it can seriously compromise national security. The Federal Risk and Authorization Management Program (FedRAMP) is a program housed in the U.S. General Services Administration (GSA) developed to standardize the assessment, authorization, and monitoring of cloud computing services used by federal agencies.
In 2011, the U.S. Federal Government’s Office of Management and Budget (OMB) created the Cloud First Policy. Cloud First, which later became Cloud Smart, maintained that federal agencies should prioritize cloud-based products in order to streamline communication and prepare for a world where cloud computing was the norm.
The goal of the Cloud Smart initiative was also to make communication between federal agencies and the public easier and more accessible. FedRAMP was developed in tandem with this push for federal agencies to adopt and use cloud service offerings (CSOs) — with the adoption of CSOs came the need for more stringent security controls to protect federal data from breaches and hackers. When you are strategizing about how to prevent cybersecurity breaches, FedRAMP can help you adopt some of the most rigorous security controls available.
What Types of Businesses Need to Be FedRAMP Compliant?
If you are a CSP or federal agency seeking to adopt cloud computing services, you need to be FedRAMP compliant. When FedRAMP was first developed, organizations were slow to achieve authorization, but now more than 250 companies are FedRAMP authorized. You can peruse the publicly-searchable FedRAMP Marketplace where some of the most well-known CSPs, from Google to Oracle to Accenture, are represented. The Marketplace also lists those organizations that are “In Process,” meaning they are actively working with an Agency or the Joint Authorization Board (JAB) towards authorization, and those which are “FedRAMP Ready”, meaning they have submitted their Readiness Assessment Report (RAR) and the FedRAMP Program Management Office (PMO) has given their stamp of approval. If your organization has a cloud service offering (CSO) or is a SaaS company looking to partner with the federal government, the FedRAMP Marketplace will become your way to connect to new agencies and to demonstrate your compliance for a wider audience. It also broadcasts your compliance to potential customers and clients beyond federal agencies.
How to Manage FedRAMP Requirements
Managing FedRAMP requirements can take some work, hefty organizational skills, and collaboration across your organization, especially if you’re seeking JAB Authorization as described below and want to work with high-impact data, but FedRAMP compliance requirements are clear and the guidelines are comprehensive. In the next section, we offer six tips for achieving FedRAMP compliance and navigating each step of the path.
Six Tips for Meeting FedRAMP Compliance Requirements
Is your organization ready to start working with the federal government? Are you ready to tackle the FedRAMP compliance requirements? Here are our six tips for achieving FedRAMP compliance and navigating the multiple paths to achieving authorization:
1. Determine Your Impact Baseline
Depending on what your CSP seeks to provide for federal agencies, you’ll determine your authorization level, which will determine the number of security controls you will need to implement in order to achieve authorization. FedRAMP is organized into three impact baseline levels: low, moderate, and high. These correspond to the risk of the impact that would occur if the information housed by that agency were to be breached. The first step on your FedRAMP compliance path will be completing the Federal Information Processing Standards Publication 199 (FIPS-199) form. The FIPS-199 will tell you exactly what risk impact level you’ll need to pursue. Knowing your impact baseline will also influence which authorization pathway you choose, which we’ll cover below.
2. Select Your Authorization Pathway
There are two main paths to FedRAMP authorization: through the Joint Authorization Board (JAB) or through a single Agency. Agency authorization prepares an organization with an Authorization to Operate (ATO) and JAB authorization prepares an organization for a Provisional Authorization to Operate (P-ATO). The pathway you select should correspond with your company’s maturity, its goals, and its risk-impact level.
JAB Authorization is the more challenging of the two and it is only appropriate for higher risk-impact organizations. The Joint Authorization Board (JAB) is composed of the General Services Administration, and CIOs from the Department of Defense and the Department of Homeland Security. The JAB prioritizes only 12 moderate- or high-impact organizations per year to assess for P-ATOs.
These limits make it much easier to go the Agency route, but JAB Authorization does have benefits. If a CSP works with a federal agency directly for Agency Authorization, they can start the process at any time and there are no limits on how many organizations can achieve ATOs per year. While the P-ATO is like a first step to achieving an ATO, The JAB’s provisional authorization is more stringent than an ATO, making it easier to establish partnerships with new Agencies in the future. In essence, JAB Authorization streamlines the way to achieving an ATO with any federal agency, because the P-ATO designation means that individual agencies don’t need to conduct their own security assessments. Individual agencies can trust that the JAB did the job.
3. Consider FedRAMP Tailored
As cloud service providers (CSPs) have become more popular across federal agencies and more organizations have developed cloud-based products, FedRAMP has adapted its guidelines to be more accessible and to cover more types of CSOs. In 2017, FedRAMP introduced a new category to its risk-impact levels called FedRAMP Tailored, for Low-Impact SaaS (LI-SaaS) companies. Organizations like GitHub, which worked closely with GSA to develop this option, have become FedRAMP compliant through FedRAMP Tailored. It is a great way for SaaS organizations to work with federal agencies without implementing security controls that wind up being unnecessary for their particular business needs. This impact baseline is consistent with the NIST SP 800-37, the NIST Risk Management Framework (RMF). Per FedRAMP Tailored LI-SaaS Requirements 3.0 guidelines, this option also “will reduce the time, money, and effort for agencies to approve low-impact systems for use, while maintaining compliance with applicable Federal laws, policies, and mandates.”
4. Prepare Your POA&M
FedRAMP authorization, the first step to compliance, is heavy on documentation. In addition to the FIPS-199, you’ll need to fill out the Plan of Action and Milestones (POA&M). The POA&M is essentially a risk management plan for your CSO, which aligns with the National Institute for Standards in Technology (NIST) Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations. With this publication, NIST stipulates that the CSP or the federal agency seeking authorization outline a schedule for implementing controls and lay out a plan of action for remediating “weaknesses or deficiencies noted during the assessment of the controls”. This document also integrates the Federal Information Security Management Act (FISMA) and FedRAMP, ensuring that the security controls included in the POA&M are also FISMA compliant. The POA&M outlines steps the organization must take to reduce vulnerabilities, the resources it needs to take those steps, and a series of milestones that the organization will meet.
5. Engage Your Third-Party Assessment Organization (3PAO)
Check out the FedRAMP Marketplace — you can peruse the CSPs already listed, get more information on federal agencies, and, most importantly, you can find a list of third-party assessment organizations (3PAOs). You’ll need to engage a 3PAO, who will assess your organization and create your Readiness Assessment Report (RAR), which signals that you are ready for your ATO or P-ATO. A 3PAO assessment is mandatory for the JAB authorization path and “highly recommended”, for the Agency Authorization path. NIST also outlines protocol for accreditation for 3PAOs in NIST SP 800-53, so you can reference the document to help you make your decisions about which 3PAO you want to enlist. Once the 3PAO files the RAR, the next step is to receive approval through the FedRAMP Program Management Office (PMO), which will allow you to proceed with authorization.
6. Prepare for Continuous Monitoring
Once you’ve received your ATO or your P-ATO, you must follow a schedule for continuous monitoring (ConMon in FedRAMP lingo). ConMon includes monthly vulnerability scans. In plotting out your schedule for monitoring, it can help to prepare for this by revisiting your POA&M, assigning ownership of controls to the right staff, and developing an auditing and risk management plan specifically designed to maintain your FedRAMP authorization. Plan well for this phase, which also requires that you stay up to date on any new FedRAMP compliance requirements and security controls for your assigned impact-level — failing to do so could lead the JAB or the Agency you’re working with to revoke your ATO.
Ready to Tackle FedRAMP Compliance?
From selecting your FedRAMP path to using FIPS-199 to determine your impact-level to preparing your POA&M and implementing continuous monitoring, meeting FedRAMP compliance requirements can be challenging. You can streamline your FedRAMP compliance efforts and integrate related compliance procedures, like an NIST audit, by using the right compliance management software.