FedRAMP refers to the Federal Risk and Authorization Management Program, a US government-created program to smooth the connection between its federal agencies and cloud service providers.
The General Services Administration (GSA) established FedRAMP Program Management Office (FedRAMP PMO) to help achieve the following goals:
- Help cloud service providers offer their services to the federal government.
- Connect cloud service providers with third-party assessment organizations (3PAOs).
- Allow government agencies to make more use of secure cloud solutions.
- Improve how governments secure and authorize cloud computing technologies, including the use of Federal Information Processing Standard (FIPS) encryption.
- Develop partnerships with FedRAMP stakeholders.
This post will examine the benefits of using FedRAMP and will provide an overview of the system and its requirements for cloud service offerings (CSOs).
FedRAMP Benefits
The government introduced FedRAMP as an interface between federal agencies and increasingly used cloud products that must be secured to a sufficient standard. FedRAMP helps federal agencies and cloud service offerings (CSOs) connect while also providing standardization.
Through FedRAMP, federal agencies can reuse authentication. Once authenticated, a cloud service can be used by multiple agencies, which is more efficient and streamlines processes for all federal agencies.
Federal agencies can also benefit from the following when using FedRAMP:
- Reduce inconsistencies
- Increase efficiency, especially by avoiding duplication of effort
- Facilitate innovation and the development of more secure information technologies
- Ensure the use of a clear, standardized, common security framework that promotes the use of secure cloud services
- Offer a standardized system for risk assessment in connection with cloud products
The FedRAMP Authorization Process
Through FedRAMP, the federal government aims to promote more widespread and efficient use of modern cloud technologies. However, this cannot be achieved without the requisite levels of security and assurances that CSOs have met and continue to meet those standards.
So, FedRAMP’s emphasis is on security and information protection. It uses a risk-based system to assess and approve potential partners to the federal government.
Cloud services must meet standard security requirements in accordance with the following:
- The Federal Information Security Modernization Act (FISMA) requires that federal agencies safeguard federal data.
- Office of Management and Budget (OMB) Circular A-130 specifies that FISMA implementation must follow National Institute of Standards and Technology (NIST) standards.
- FedRAMP Policy — FedRAMP requirements draw on NIST standards and guidelines to standardize what federal agencies require from cloud services and provide conformity assessment and authorization packages.
There are two main paths to authorization — the Joint Authorization Board (JAB) and the individual agency Process. Although CSOs can engage with an individual federal agency at any time, seeking authorization from the Joint Authorization Board (JAB) prioritizes authorization through the FedRAMP system.
Once authorized, FedRAMP stores the security details of the CSO, whichever path was used. As this post is concerned with exploring FedRAMP, it will look at the JAB authorization path, which uses FedRAMP more heavily.
The JAB Authorization Path
JAB includes Chief Information Officers (CIOs) from the General Services Administration (GSA), the Department of Homeland Security (DHS), and the Department of Defense (DoD). FedRAMP’s primary governing body performs the continuous monitoring required for authorized CSOs to remain a part of the FedRAMP program.
FedRAMP agency authorization takes place across three stages:
- Preparation
- Authorization
- Continuous Monitoring
Stage 1 - Preparation
During the preparation phase, CSOs are expected to make the relevant technical and procedural adjustments required to become FedRAMP-compliant.
At this stage, several security deliverables are necessary. The CSO can put these together themselves, or they can enlist the help of a third-party assessment organization (3PAOs). In any case, a 3PAO will be necessary to audit the CSO and attest that it meets the requirements of the FedRAMP program.
The JAB evaluates CSOs through the FedRAMP Connect system. In this way, it prioritizes 12 CSOs per year using JAB Prioritization Criteria. The JAB then selects CSOs at specific times during the year.
CSOs must meet JAB Prioritization Criteria to use this service, completing a FedRAMP Business Case (a PDF and Excel worksheet) and sending it to info@fedramp.gov to prove their need for a fast-tracked security authorization. Mostly, this involves proving there is already a wide federal agency demand for the CSO.
Following this, a Readiness Assessment is required. While this is optional if a CSO works directly with an agency, it is obligatory for those using the JAB authorization process.
The Readiness Assessment includes:
- Development of the Readiness Assessment Report (RAR)
- A review of the RAR
- Remediation, if required
When the CSO is deemed FedRAMP Ready, it can then undergo a full security assessment. This assessment involves:
- Finalizing the System Security Plan (SSP) and connecting with an approved 3PAO
- Development of a Security Assessment Plan (SAP) by the 3PAO, a full security assessment, and the production of a Security Assessment Report (SAR)
- Development of a Plan of Action and Milestones (POA&M) by the CSP, which is intended to monitor and manage security risks based on the SAR
- Deliverables confirming one month of continuous monitoring
These four categories of information should be submitted simultaneously using templates provided at fedramp.gov.
How long preparation takes depends on the CSO’s infrastructure and security posture in relation to government standards. Following a full month of continuous monitoring, the process will take at least two weeks to progress to the next stage, which is authorization.
Stage 2 - Authorization
Once initialized, this part of the JAB authorization path takes roughly three months to complete. During this time, the JAB performs a security package review, a risk analysis, and determines which risks to accept.
Reviewing the Readiness Assessment, remediation, and final review should each take around four weeks. Having passed successfully through this security assessment, the CSO can receive a Provisional Authority to Operate (P-ATO) and a FedRAMP Marketplace Designation.
Whichever route is taken, whether direct or through a JAB, the security packages are stored by FedRAMP for review, risk analysis, and reuse.
Stage 3 - Continuous Monitoring
This is arguably post-authorization, but it is nonetheless a critical part of the security authorization process CSOs seeking contracts with the US Government.
All CSOs that have achieved FedRAMP-compliance must submit to the following:
- Yearly assessments
- Monthly vulnerability scans
In addition, its deliverables must include:
- Incident reporting
- Making Deviation and Significant Change Requests
Ultimately, individual agencies are responsible for final approval regarding CSOs. However, JAB facilitates continuous monitoring and helps federal agencies make those decisions.
Throughout the continuous monitoring process, The JAB maintains responsibility for the following:
- Regularly reviewing continuous monitoring and security artifacts
- Suspending or revoking a CSO’s P-ATO, according to FedRAMP compliance criteria
- Authorizing or denying a CSO’s Deviation and Significant Change Requests
- Ensuring the prompt transmission of continuous monitoring deliverables to leveraging agencies
Levels of FedRAMP Agency Authorization
Achieving JAB authorization is not the end game for FedRAMP certification. Continuous monitoring means constantly maintaining the levels attained during the preparation phase and any remedial activities.
Furthermore, there are three security authorization levels. The category into which a CSO falls determines which federal agencies could potentially partner with it.
To categorize CSOs, JAB considers three common and pivotal cybersecurity objectives: Confidentiality, Integrity, and Availability (CIA).
- Confidentiality — Access to information systems must include data and privacy protection protocols.
- Integrity — Information in storage must be protected from being destroyed or modified without authorization.
- Availability — The information stored by the CSO must be readily available.
In view of these three considerations and using security controls derived from the National Institute of Standards and Technology’s NIST SP 800-53, CSOs can find themselves placed in one of three impact levels according to their security postures:
- Low impact
- Moderate impact
- High impact
Low Impact Level
This is the category for CSOs suitable for processing or storing low-impact data. The low impact here means that compromising confidentiality, integrity, or availability would have limited negative effects on the federal agency.
According to FedRAMP, low-impact data has two baselines:
LI-Saas Baseline
This refers to Low-Impact Saas (Software as a Service) applications that only store personally identifiable information (PII) for login purposes. Accordingly, a CSO requires fewer security controls to achieve and maintain this level of FedRAMP accreditation.
Low Baseline
The low baseline impact categorization necessitates more NIST 800-53 security controls than Li-Saas Baseline and nonetheless requires testing and verification, but fewer are required than for Moderate or High Impact CSOs.
Moderate Impact Level
Most CSP applications achieving a FedRAMP certification are in the moderate impact category. This is for CSOs in which the loss of the CIA would cause significant negative effects for a federal agency in terms of its people, its assets, and its operations.
High Impact Level
The High Impact Level category is usually reserved for CSOs that work with critical systems, such as those in finance, healthcare, law enforcement, and emergency services. Loss of CIA for such services could lead to severe or even catastrophic detrimental effects.
