The U.S. Federal Government has been promoting adoption of cloud computing since the Cloud First Policy was first developed in 2011 by the Office of Management and Budget — the main idea was to make information and information sharing easier, more accessible, and faster across federal agencies and to enhance communication between the government and U.S. citizens. In 2018, Cloud First evolved into Cloud Smart, which provided further guidance for actually implementing security measures and procurement of cloud computing services. As these policies developed, so did the need for strong cybersecurity measures.
The Federal Risk and Authorization Management Program (FedRAMP) is a program housed in the U.S. General Services Administration developed to standardize the assessment, authorization, and monitoring of cloud computing services used by federal agencies. If you are a CSP or federal agency seeking to adopt cloud computing services, you need to be familiar with FedRAMP. So, what is FedRAMP compliance and what steps do you need to take to make sure you’re following FedRAMP standards? Read on to learn more.
What Is FedRAMP?
The Federal Risk and Authorization Management Program (FedRAMP) is a program developed by the U.S. government to standardize the security risk assessment, authorization, and regular monitoring of cloud computing services used by federal agencies. The program is housed in the General Services Administration, and operates in conjunction with the Department of Homeland Security and the Department of Defense. FedRAMP compliance guidelines also dovetail with technical guidelines for cloud computing presented by the National Institute for Standardization in Technology (NIST) Special Publication 800-53 and support federal agency compliance with FISMA and OMB Circular A-130.
What Does It Mean to Be FedRAMP Compliant?
So, what is FedRAMP compliance in regards to your organization? You should know that any cloud service provider (CSP) that seeks to work with a federal agency must follow FedRAMP guidelines and achieve FedRAMP authorization. FedRAMP compliance requires an initial preparatory assessment, then a FedRAMP authorization either through the Joint Authorization Board or an Agency, and finally continuous monitoring of the CSP to ensure that it is maintaining FedRAMP cybersecurity standards.
When Is FedRAMP Required?
FedRAMP is required for any cloud service provider (CSP) who has developed a cloud service offering (CSO) designed to work with a federal agency. Whenever a federal agency shares information on the cloud, it must adhere to FedRAMP standards. When an agency has sought a partnership with a CSP, both need to work together to achieve authorization.
What Are FedRAMP Compliance Requirements?
To achieve FedRAMP compliance, a CSP must conduct assessment, receive authorization, and maintain continuous monitoring of their cybersecurity measures. What is FedRAMP compliance and how can you achieve authorization? Here’s are the basic steps and a few common FedRAMP acronyms:
1. Complete Initial FedRAMP Documents
FedRAMP has compiled the documents and templates necessary for preparation, authorization, and monitoring. Once you have completed your FIPS-199 assessment, you will have more of a sense of which documents are relevant to your organization, but you should gather preparatory documents and templates here and familiarize yourself with the authorization path you are most likely to take, based on the data you’ll be working with.
2. FIPS 199 Assessment
FIPS 199, the Federal Information Processing Standard, was developed by NIST to categorize the data stored and transmitted by cloud computing services as low, moderate, or high-impact. The classification determines the controls a CSP must implement.
3. Conduct 3PAO Assessment
3PAO is FedRAMP’s acronym for third-party assessment organization, which will conduct a cybersecurity attestation and create your Readiness Assessment Report (RAR). This step is mandatory for the JAB authorization path and optional, but “highly recommended”, for the Agency Authorization path.
4. Create Plan of Action and Milestones (POA&M)
The POA&M is another requirement carried over to FedRAMP from NIST SP 800-53; this step requires that the agency and/or CPS seeking authorization implement controls in the form of a schedule “to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system.”
5. Obtain ATO or P-ATO
A CSP will have to determine whether they are seeking an authorization to operate (ATO) or a provisional authorization to operate (P-ATO). There are two different paths to achieving these authorizations, JAB and Agency, which we explain in greater detail below.
6. Maintain Continuous Monitoring
Once you have obtained an ATO or P-ATO, you must create and follow a schedule for continuous monitoring.
What Are the Different Paths to Achieve FedRAMP Compliance?
There are two paths to achieving FedRAMP compliance; you can seek to obtain authorization to operate (ATO) through the Joint Authorization Board (JAB) or through an Agency. GSA outlines the differences in two very useful flow charts for JAB and Agency Authorization on their site, but the primary difference is whether a CSP is partnering with a specific federal agency from the start of their pursuit of FedRAMP authorization or whether they are flying solo and seeking partnership post-authorization.
What Is the Difference Between an Agency and JAB Authorization?
Not quite sure what is the difference between JAB Authorization and Agenda Authorization? Here’s a breakdown:
JAB Authorization: The Joint Authorization Board (JAB) is composed of the General Services Administration, and CIOs from the Department of Defense and the Department of Homeland Security. This path is appropriate for cloud service offerings (CSOs) classified as moderate or high-impact per FIPS-199. A cloud service provider (CSP) which seeks to work with a federal agency can apply for a provisional authorization via JAB prior to developing that partnership, to demonstrate that they are FedRAMP compliant. It’s important to note that JAB does not accept risk responsibility; each federal agency has its own Authorization Officer. However, JAB’s provisional authorization is more rigorous than an ATO achieved through Agency Authorization; the CSP must also pass muster with the CIOs from the Department of Defense, the General Services Administration, and the Department of Homeland Security.
Agency Authorization: In the Agency Authorization route, a CSP and agency work together to achieve authorization, and this path is most appropriate for CSOs classified as low-impact per FIPS-199. An agency who has already chosen to work with a particular CSP can apply for authorization at any time; agency and CSP will partner throughout the FedRAMP authorization process. Some of the steps that are mandatory for JAB Authorization, like a 3PAO Readiness Assessment Report (RAR), are optional through the Agency Authorization route.
What Are the Categories of FedRAMP Compliance?
When a CSP and agency seek an ATO, part of the assessment process includes determining the level of risk impact, or how damaging a cybersecurity breach would be; depending on the agency and the information shared, the risk to the federal government and U.S. citizens can differ greatly. FedRAMP outlines three broad risk levels regarding the type of data that a CSO stores or transmits: low impact, moderate impact, and high impact. These risk levels determine the number of controls necessary to maintain FedRAMP compliance — here’s more information on each:
1. Low Impact
According to FedRAMP guidelines, FIPS-99 would categorize a cloud service offering (CSO) as low-impact when “the loss of confidentiality, integrity, and availability would result in limited adverse effects on an agency’s operations, assets, or individuals.” There are fewer security controls necessary for low-impact data.
2. Moderate Impact
FedRAMP states that nearly 80% of CSP applications that have received FedRAMP authorization are classified as moderate impact, meaning “the loss of confidentiality, integrity, and availability would result in serious adverse effects on an agency’s operations, assets, or individuals.” Serious adverse effects include financial losses, harm to individuals not including the loss of life or physical damage.
3. High Impact
While breaches to moderate impact data have serious adverse effects, breaches to systems protecting high impact data would be “severe or catastrophic.” High impact data is usually related to law enforcement, emergency services, financial systems, or health systems, and includes the “government’s most sensitive, unclassified data in cloud computing environments” and thus requires CSPs to develop, maintain, and monitor their strictest and most copious security controls.
What Does It Take to Be FedRAMP Certified?
As one would expect from any process designed to protect federal security, preparing for security compliance certifications via FedRAMP can be quite involved, especially if a CSP is categorized as high risk impact. Once a CSP has achieved authorization, however, they can be listed in the FedRAMP Marketplace, where any federal agency can partner with them in the future.
FedRAMP Compliance Takeaways
What is FedRAMP compliance designed to accomplish? The protection of our most sensitive federal information and the security of the nation. When it comes to the importance of information security in organizations, the federal government necessarily runs a tight ship. From FIPS-99 assessments to authorization choices, FedRAMP compliance can be challenging; compliance management software can help you keep track of your FedRAMP preparation, authorization, and monitoring efforts.