What Is FedRAMP Compliance? 6 Steps to Achieve Authorization

What Is FedRAMP Compliance? 6 Steps to Achieve Authorization

The U.S. Federal Government has been promoting the adoption of cloud computing since the Cloud First Policy was first developed in 2011 by the Office of Management and Budget — the main idea was to make information and information sharing easier, more accessible, and faster across federal agencies and to enhance communication between the government and U.S. citizens. In 2018, Cloud First evolved into Cloud Smart, which provided further guidance for actually implementing security measures and procurement of cloud computing services. As these policies developed, so did the need for strong cybersecurity measures. As cyber risks grew to threaten governments as well as organizations, the U.S. government implemented measures to secure the federal use of cloud solutions.

The Federal Risk and Authorization Management Program (FedRAMP) is a program housed in the U.S. General Services Administration (GSA) and created to standardize the assessment, authorization, and monitoring of cloud computing services used by federal agencies. Cloud service providers (CSPs), SaaS companies, and other cloud providers seeking to work with federal government agencies need to demonstrate FedRAMP compliance, as do the federal agencies seeking to employ their services. So, what is FedRAMP compliance and what steps do you need to take to make sure you’re following FedRAMP standards? 

What Is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP)’s mission is to serve as “a government-wide program that promotes the adoption of secure cloud services across the federal government by providing a standardized approach to security and risk assessment for cloud technologies and federal agents.” This program, developed by the  U.S. government to standardize the security assessment, authorization, and regular monitoring of cloud computing services used by federal agencies is housed in the General Services Administration (GSA). FedRAMP operates in conjunction with the Department of Homeland Security (DHS) and the Department of Defense (DOD), along with other government agencies. FedRAMP compliance guidelines also dovetail with technical guidelines for cloud computing presented by the National Institute of Standards and Technology (NIST) Special Publication 800-53 and support federal agency compliance with FISMA and OMB Circular A-130

FedRAMP has two major functions or teams, the FedRAMP Program Management Office (also known as the FedRAMP PMO) and the Joint Authorization Board (JAB), which works specifically with the Chief Information Officers of the DOD, the DHS, and the GSA. The FedRAMP PMO furthers the mission and goals of the FedRAMP program, while the JAB operates as the governance and oversight authority for FedRAMP.

FedRAMP compliance carries significant benefits for cloud solutions companies, reducing redundancy, establishing a relationship between cloud providers and the federal government, and driving the adoption of cloud products through transparent standards and government-wide security authorizations. To work with the U.S. government’s federal agencies, companies like AWS and its competitors maintain FedRAMP compliance. The stated goals of the FedRAMP program are to expand the adoption of secure cloud services used by the federal government, improve and maintain the framework the government uses to evaluate, secure, and authorize cloud solutions, and build partnerships with FedRAMP stakeholders.

Image: A Guide to FedRAMP Acronyms

In addition to developing and updating the guidance, templates, and process for achieving FedRAMP certification, the FedRAMP program collaborates with a variety of government agencies and cloud partners, plus third party assessors (3PAO). They also maintain the repository of authorized Cloud Service Offerings (CSOs) and accompanying documentation in the form of the FedRAMP MarketPlace. Through this database, anyone can view CSOs that have some kind of FedRAMP designation, federal agencies that use CSOs, and 3PAOs that can perform FedRAMP assessments. 

What Does It Mean to Be FedRAMP Compliant?

So, how does FedRAMP compliance affect your organization? The main thing to note is any cloud service provider (CSP) seeking to provide a Cloud Service Offering (CSO) to a federal agency must follow FedRAMP guidelines and achieve FedRAMP authorization before doing so. The difference between a CSP and CSO is that a CSP might have many service offerings (like AWS, Azure, or GCP), and the CSO is one or a subset of those service offerings. FedRAMP compliance requires an initial preparatory evaluation before a FedRAMP authorization either through the Joint Authorization Board (JAB) or an Agency. Finally, compliance requires continuous monitoring of the CSP to ensure that it is maintaining FedRAMP cybersecurity standards at all times. 

Image: FedRAMP Authorization Process

Source: FedRAMP Authorization Process

There are two pathways to FedRAMP authorization: the Agency Process and the JAB Process. The JAB process involves a provisional authorization, and the JAB selects a set number (twelve) cloud services each year with the goal of issuing a JAB Provisional Authority to Operate (P-ATO).

The InfoSec Survival Guide: Achieving Continuous Compliance

When Is FedRAMP Required?

FedRAMP is required for any cloud service provider (CSP) who has developed a cloud service offering (CSO) designed to work with a federal agency. Whenever a federal agency shares sensitive federal data on the cloud, it must adhere to FedRAMP standards. When an agency has sought a partnership with a CSP, both need to work together to achieve authorization. 

FedRAMP as an organization aims to foster and improve partnerships with CSPs and seeks to promote secure cloud usage throughout the federal government.

What Are FedRAMP Compliance Requirements?

To achieve FedRAMP compliance, a CSP must conduct an assessment, receive authorization, and maintain continuous monitoring of their cybersecurity measures. What is FedRAMP compliance and how can you achieve authorization? Here are some basic steps for achieving FedRAMP compliance. 

1. Compile Initial FedRAMP Documents

To begin the FedRAMP authorization process, an organization should leverage the resources already available, such as the documents and templates available on the FedRAMP site necessary for preparation, authorization, and monitoring. Once you have completed your FIPS 199 assessment, you will have a better sense of which documents are relevant to your organization, but you should gather preparatory documents and templates here and familiarize yourself with the authorization path you are most likely to take, based on the data you’ll be working with. 

2. FIPS 199 Assessment 

FIPS 199, the Federal Information Processing Standard, was developed by NIST to categorize the data stored and transmitted by cloud computing services as low, moderate, or high-impact. This impact level classification determines the controls a CSP must implement. 

Most organizations that partner with federal agencies fall into the “moderate” category. As the impact level of an organization rises, the stringency of the controls they must implement likewise become stricter.

3. Conduct 3PAO Readiness Assessment 

3PAO is FedRAMP’s acronym for a third-party assessment organization, which will conduct a cybersecurity attestation and create your Readiness Assessment Report (RAR). This step is mandatory for the JAB authorization path and optional, but “highly recommended,” for the Agency Authorization path. 

Even if you opt out of a formal 3PAO readiness assessment, it is always wise to conduct some kind of readiness and preparation prior to seeking out a compliance certification, and that is true of FedRAMP certification as well. Noting any gaps and preparing action plans in advance can streamline the next steps of the FedRAMP compliance process. Establishing a clear baseline of the CSP’s security and risk posture is another benefit of conducting a readiness assessment prior to undergoing the authorization process.

4. Create a Plan of Action and Milestones (POA&M) and Execute

The POA&M is another requirement carried over to FedRAMP from NIST SP 800-53; this step requires that the agency and/or CSP pursuing authorization implement controls that address any known gaps between the FedRAMP requirements and the information systems and related controls in scope. Ideally, this remediation should occur on a systematic schedule, and activities completed to remediate gaps documented.

Even if gaps are identified that cannot be remediated immediately, it’s important to document an action plan and timeline for revisiting that item to demonstrate that the organization is dedicated to mitigating risks and maintaining compliance.

5. Follow the Agency or JAB Process for Authorization 

At this point, the process for becoming FedRAMP authorized diverges slightly depending on whether the CSP is following the “Agency Process” or the “JAB Process” alluded to earlier. The Agency Process yields an Authorization to Operate (ATO), while the JAB Process results in a Provisional Authorization to Operate (P-ATO). 

In the JAB Process, a cloud provider will need to first be evaluated as part of the FedRAMP Connect process, then be selected as one of twelve CSOs annually. Once selected, the CSO must:

  1. Conduct a formal Readiness Assessment with an official 3PAO.
  2. Finalize the System Security Plan (SSP).
  3. Conduct a Full Security Assessment with an official 3PAO.
  4. Remediate findings from Security Assessment Report (SAR) issued by the 3PAO.
  5. Complete JAB evaluation.
  6. If accepted, obtain Provisional Authorization to Operate (P-ATO).
  7. Prepare for continuous monitoring.

In the Agency Process, a CSP can work directly with a federal agency to obtain an Authority to Operate (ATO) following these steps:

  1. (Optional) Conduct a formal Readiness Assessment with an official 3PAO. While this is optional, it is highly recommended.
  2. Meet the requirements for Pre-Authorization and conduct a Kickoff with the Agency.
  3. Conduct a Full Security Assessment with an official 3PAO evaluating compliance to FedRAMP’s security requirements.
  4. Remediate findings from Security Assessment Report (SAR) issued by the 3PAO.
  5. CSP and 3PAO upload materials, including the security package to FedRAMP’s repository and received Authorization to Operate (ATO) letter. 
  6. FedRAMP PMO reviews security package for inclusion in the FedRAMP Marketplace.
  7. Prepare for continuous monitoring.

The main differences between these two approaches are:

  • Who the organization seeking certification is working with.
    • If the organization is working with a federal agency directly, they will follow the Agency Process.
    • If the organization has been chosen to work with the JAB, they will follow the JAB process.
  • Whether a 3PAO Readiness Assessment is required.
    • If the organization is pursuing the agency route, they are not required to perform a 3PAO Readiness Assessment, only a 3PAO Full Security Assessment.
    • If the organization is pursuing the JAB route, they are required to perform a 3PAO Readiness Assessment as well as a 3PAO Full Security Assessment.

6. Maintain Continuous Monitoring 

Once an organization has received formal authorization in the form of an ATO or P-ATO, they are then subject to continuous monitoring, both internally and by the federal agencies they work with. To stay FedRAMP compliant, organizations may have to provide evidence that certain key controls are operating on a monthly and/or annual basis, such as through vulnerability scanning and penetration testing. 

Having automated controls or automating controls where possible can make the continuous monitoring phase easier, along with employing the right compliance and risk management technology. For example, vulnerability scans can be scheduled to run on a set frequency, which eliminates the need for a user to manually begin or perform the scan. Configuring security and other logs to be saved and backed up right away is another good case for automation.

What Are the Different Paths to Achieve FedRAMP Compliance?

There are two paths to achieving FedRAMP compliance; you can seek to obtain Authorization to Operate (ATO) through the Agency Process, or a Provisional Authorization to Operate (P-ATO) through the Joint Authorization Board (JAB). GSA outlines the differences in two very useful flow charts for JAB and Agency Authorization on their site, but the primary difference is whether a CSP is partnering with a specific federal agency from the start of their pursuit of FedRAMP authorization or whether they are taking a government-wide approach with a CSO that could be used by many agencies. 

What Is the Difference Between an Agency and JAB Authorization?

Not quite sure what the difference is between JAB Authorization and Agenda Authorization. Here’s a breakdown:

  • JAB Authorization: The Joint Authorization Board (JAB) is composed of the General Services Administration and CIOs from the Department of Defense and the Department of Homeland Security. This path is appropriate for cloud service offerings (CSOs) classified as moderate or high-impact per FIPS 199. A cloud service provider (CSP) which seeks to work with a federal agency can apply for provisional authorization via JAB prior to developing that partnership, to demonstrate they are FedRAMP compliant. It’s important to note JAB does not accept risk responsibility; each federal agency has its own Authorization Officer. However, JAB’s provisional authorization is more rigorous than an ATO achieved through Agency Authorization; the CSP must also pass muster with the CIOs from the Department of Defense, the General Services Administration, and the Department of Homeland Security. The JAB only works with twelve CSOs per year, and each organization selected for JAB partnership must be thoroughly evaluated before entering the program.
  • Agency Authorization: In the Agency Authorization route, a CSP and an agency work together to achieve authorization, and this path is most appropriate for CSOs classified as low-impact per FIPS 199. An agency that has already chosen to work with a particular CSP can apply for authorization at any time; the agency and CSP will partner throughout the FedRAMP authorization process. Some of the mandatory steps for JAB Authorization, like a 3PAO Readiness Assessment Report (RAR), are optional through the Agency Authorization route. 

What Are the Categories of FedRAMP Compliance?

When a CSP and agency seek an ATO, part of the assessment process includes determining the level of risk impact, or how damaging a cybersecurity breach would be; depending on the agency and the information shared, the risk to the federal government and U.S. citizens can differ greatly. FedRAMP outlines three broad risk levels regarding the type of data that a CSO stores or transmits: low impact, moderate impact, and high impact. Regardless of FIPS classification, cloud security remains of utmost importance for achieving security authorization. These risk levels determine the number of controls necessary to maintain FedRAMP compliance — here’s more information on each: 

1. Low Impact 

According to FedRAMP guidelines, FIPS 199 would categorize a cloud service offering (CSO) as low-impact when “the loss of confidentiality, integrity, and availability would result in limited adverse effects on an agency’s operations, assets, or individuals.” There are fewer security controls necessary for low-impact data. 

2. Moderate Impact 

FedRAMP states nearly 80% of CSP applications that have received FedRAMP authorization are classified as moderate impact, meaning “the loss of confidentiality, integrity, and availability would result in serious adverse effects on an agency’s operations, assets, or individuals.” Serious adverse effects include financial losses and harm to individuals that do not include the loss of life or physical damage. 

3. High Impact 

While breaches to moderate impact data have serious adverse effects, breaches to systems protecting high-impact data would be “severe or catastrophic.” High-impact data is usually related to law enforcement, emergency services, financial systems, or health systems, and includes the “government’s most sensitive, unclassified data in cloud computing environments” and thus requires CSPs to develop, maintain, and monitor their strictest and most copious security controls. 

What Does It Take to Be FedRAMP Certified?

As one would expect from any process designed to protect federal security, preparing for security compliance certifications via FedRAMP can be quite involved, especially if a CSP is categorized as high-risk impact. Once a CSP has achieved authorization, however, they can be listed in the FedRAMP Marketplace, where any federal agency can partner with them in the future. ** ** When considering the effort required to be and stay FedRAMP certified, risk teams shouldn’t neglect the cost of continuous monitoring and updates to guidance that are sure to come in the future.

In terms of cost, FedRAMP compliance can be quite expensive, and require collaboration across the organization. FedRAMP also requires a partnership with a 3PAO for Full Security Assessments, potentially resulting in additional costs due to remediations. However, the potential tradeoff in terms of a relationship with the federal government can significantly outweigh the risks and expense of becoming FedRAMP compliant.

FedRAMP Compliance Takeaways

From FIPS 199 assessments to authorization choices, FedRAMP compliance can be challenging. Keeping up with FedRAMP’s continuous monitoring requirements and maintaining your security package comes with challenges like working with various stakeholders and teams, coordinating vulnerability scans, and testing controls.Compliance management software can help you keep track of your FedRAMP preparation, authorization, and monitoring efforts, bringing all of your risk and compliance functions into one centralized HQ and streamlining the way to FedRAMP certification.

Frequently Asked Questions About FedRAMP Compliance

What Is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP)’s mission is to be, “a government-wide program that promotes the adoption of secure cloud services across the federal government by providing a standardized approach to security and risk assessment for cloud technologies and federal agents.”

What Does It Mean to Be FedRAMP Compliant?

To be FedRAMP compliant, an organization must establish strong internal controls over their Cloud Service Offering (CSO) in compliance with FedRAMP requirements.

What Are FedRAMP Compliance Requirements?

FedRAMP compliance requirements differ based on whether the CSO is classified as high, moderate, or low impact, but generally pull from the NIST 800-53 guidelines.

What Are the Different Paths to Achieve FedRAMP Compliance?

There are two different paths to achieve FedRAMP compliance: Agency, which results in an Authorization to Operate (ATO) and JAB, which results in a Provisional Authorization to Operate (P-ATO).

Vice

Vice Vicente started their career at EY and has spent the past 10 years in the IT compliance, risk management, and cybersecurity space. Vice has served, audited, or consulted for over 120 clients, implementing security and compliance programs and technologies, performing engagements around SOX 404, SOC 1, SOC 2, PCI DSS, and HIPAA, and guiding companies through security and compliance readiness. Connect with Vice on LinkedIn.