Achieving FedRAMP certification is a requirement for any organization that wants to work with a government agency. The Federal Risk and Management Program (FedRAMP) is a government-wide cybersecurity risk management program used to evaluate and authorize cloud service provider (CSP) service offerings. FedRAMP was established in 2011 by the Office of Management and Budget (OMB) as a cost-effective, risk-based approach to the implementation and use of cloud services in U.S. federal government departments and agencies.
Why Is FedRAMP Certification Important?
Cloud services that hold or store federal data require FedRAMP authorization, meaning any business that wants to work with the federal government must include FedRAMP authorization as part of their security plan.
Acquiring FedRAMP certification is important as it ensures consistency in the security of cloud services used by the government. It creates a single set of standards for all cloud providers and government agencies which helps instill confidence in clients through stringent security protocols.
When cloud service providers become FedRAMP authorized, they are listed in the FedRAMP Marketplace. This platform is the first place that government agencies look when sourcing a new cloud-based solution.
Most government agencies find it faster and easier to use a cloud-based product that has already been authorized than to start the process from scratch with a new vendor. Therefore, achieving FedRAMP compliance and getting listed in the FedRAMP Marketplace can be a highly profitable endeavor.
What Are The Three FedRAMP Impact Levels?
FedRAMP currently authorizes cloud service providers at low-, moderate- or high-impact levels:
Low-Impact Level
Low-impact level is suitable for cloud service offerings (CSOs) where the loss of integrity, confidentiality, and availability would have limited adverse effects on a government agency’s assets, individuals, and operations.
There are currently two baselines for systems that fall under FedRAMP low-impact level: LI-SaaS Baseline and Low Baseline. Low baseline SaaS applications that do not store personally identifiable information (PII) with the exception of what is required for login capability fall under the LI-SaaS Baseline.
Mandatory security documentation is consolidated and the number of security controls required for testing and verification is lowered relative to Low Baseline authorization.
Moderate-Impact Level
Moderate-impact systems make up nearly 80 percent of CSP applications and are most appropriate for cloud service offerings where the loss of integrity, confidentiality, and availability would likely result in serious adverse effects on an agency’s assets, individuals, or operations. Some of these adverse effects could cause substantial operational harm to an agency’s finances, assets, or individuals. Under the moderate-impact level, there is no loss of life or physical information.
High-Impact Level
High-impact data is usually found in financial systems, law enforcement and emergency systems, health systems, and similar areas where the loss of integrity, confidentiality, or availability could have catastrophic adverse effects on a business’ organizational assets, operations, or individuals.
FedRAMP’s High Baseline was created to protect the government’s most sensitive, unclassified data in cloud-based computing environments. This includes data that could protect life and prevent financial ruin.
How Is A Target FedRAMP Impact Level Achieved?
Once the appropriate target FedRAMP impact level is determined, businesses can take the necessary steps to achieve compliance. The authorization process typically occurs in four main phases: plan, assess, authorize, and monitor.
1. Plan
The first stage in the authorization process involves planning and documenting. CSPs must first establish a partnership with a federal agency that is interested in using the product.
Next, determine what approach the business will use to achieve authorization. The two main paths to authorization involve getting a Provisional Authority to Operate (PATO) from the Joint Authority Board (JAB) or obtaining an Authority to Operate (ATO) letter from a federal agency.
A CSP must then determine the proper impact level for their system and fulfill the requirements outlined in the FedRAMP Security Controls baseline. The details of the implementation must be documented in a System Security Plan (SSP).
2. Assess
Hire an independent assessor to test the information system and verify that all appropriate controls are implemented and effective. Once testing is complete, the third-party assessment organization (3PAO) or nonaccredited independent assessor (IA) will issue a Security Assessment Report (SAR).
3. Authorize
After the assessment has been completed, the CSP will need to submit a security package to the JAB or the federal agency that they are working with for approval. If approved, the CSP will receive an ATO.
4. Monitor
Receiving an ATO is not the final step in the process. Authorization must be maintained over time through continuous monitoring and compliance with FedRAMP requirements. If an organization fails to maintain an appropriate risk level, authorization can be revoked.
Get Started Today With SeaGlass Technology
SeaGlass Technology is a leader in IT cloud services and can help organizations become compliant through services like advisory consulting and readiness assessments. Schedule a consultation today to speak with a certified IT technician.