The Federal Risk and Authorization Management Program (FedRAMP) is a federal program that promotes the use of secure cloud services. This compliance program created by the U.S. government establishes a baseline for cloud-based services and products in regards to their approach to security assessment, authorization, and continuous monitoring.
Under FedRAMP, agencies are better equipped to transition from outdated, insecure legacy IT to cost-effective, mission-driven cloud-based IT.
Before a federal agency can use a commercial cloud service offering (CSO), the CSO must first demonstrate FedRAMP compliance. Compliance refers to the ability to prove adherence to government security requirements found in NIST 800-53 and further supplemented by the FedRAMP Program Management Office (PMO). FedRAMP compliance requires cloud service providers (CSPs) to achieve several high-level requirements outlined below:
Paths To Achieving FedRAMP Compliance
Demonstrating FedRAMP compliance requires CSPs to go down one of two paths. First, FedRAMP Authority to Operate (ATO) can be obtained directly from the federal government. An agency FedRAMP ATO is only applicable to that agency and does not mean that other agencies are authorized to use that CSO. After a CSO acquires a FedRAMP ATO with an agency, all other governmental agencies that wish to use the CSO will need to assess the authorization package to determine if their security posture is sufficient to meet their risk tolerance.
The second, and more challenging path, requires a CSP to receive a FedRAMP Provisional ATO (P-ATO) from the Joint Authorization Board (JAB). The JAB is comprised of representatives from the Department of Defense (DOD), the General Services Administration (GSA), and the Department of Homeland Security (DHS).
Together, JAB represents all federal agencies pertaining to the evaluation of CSP security postures. Unfortunately, the JAB does not accept risk for any federal agency, meaning the ATO issued by the JAB signifies that the CSO has been reviewed and approved but that each federal agency is still responsible for issuing an agency ATO.
Checklist To Achieve FedRAMP Compliance
Regardless of which path a CSP chooses to achieve compliance, the process can be highly rigorous. The following checklist outlines the steps that CSPs need to take to achieve FedRAMP compliance:
1. Submit Initial FedRAMP Documents
CSPs are responsible for gathering and completing all documents and templates provided by FedRAMP. These documents can be downloaded and printed directly from the FedRAMP government website and are necessary for preparation, authorization, and monitoring. Become familiar with the authorization path that the business will most likely take based on the relevancy to the organization.
2. Implement Controls in Accordance with FIPS 199
FIPS 199 refers to the Federal Information Processing Standard. This standard was developed by NIST with the goal of categorizing data stored and transmitted by cloud computing services as either low, moderate, or high impact. The classification chosen determines the controls a CSP must implement.
3. Undergo an Assessment by a 3PAO
CSPs that want to achieve FedRAMP compliance must first complete an assessment performed by a FedRAMP third-party assessment organization (3PAO). The 3PAO will perform a cybersecurity attestation and put together a Readiness Assessment Report (RAR) for the organization. Conducting a 3PAO assessment is a mandatory step for the JAB authorization path but is only a highly recommended step for the agency authorization path.
4. Develop a Plan of Action and Milestones (POA&M)
Another step carried over to FedRAMP from NIST SP 800-53 is the POA&M. This step requires the CSP or agency seeking authorization to implement the proper controls in the form of a schedule. The goal of this schedule is to document the planned remediation actions of the agency to address and resolve deficiencies or weaknesses identified during the assessment of the controls. A POA&M aims to eliminate any known vulnerabilities found within the system.
5. Obtain Either Agency ATO, Provisional ATO, or JAB
The CSP will need to decide whether they are seeking an agency authorization to operate, provisional authorization to operate, or approval from the JAB. While there are no wrong choices, some paths may be more difficult than others.
6. Implement a Continuous Monitoring Program
The final step in FedRAMP compliance involves implementing a continuous monitoring (ConMon) program that includes monthly vulnerability scans. This step is necessary to ensure that the organization remains compliant and that any risks are promptly addressed before they can negatively impact the CSOs.
Speak with the FedRAMP Compliance Professionals at SeaGlass
The federal government wants more people to use cloud services as they enable agencies to save time and money while enhancing their overall efficiency. FedRAMP also offers reduced cybersecurity threats to vendors as it allows agencies to better detect cybersecurity vulnerabilities at a rapid rate. To learn more about FedRAMP compliance requirements or to speak with an experienced NYC IT service professional, reach out to the experts at SeaGlass Technology.