A Step-by-Step Guide to FedRAMP Authorization
If your organization currently serves, or is seeking to serve, cloud products or solutions to a federal agency then you already know you must undergo a Federal Risk and Authorization Management Program (FedRAMP) assessment.
Created in 2011, FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services relied upon by federal entities that store, process, and transmit federal information. The goal of FedRAMP is to provide a set of agreed-upon standards to be used for cloud product approval.
Once you’ve secured agency sponsorship and developed a System Security Plan (SSP) based on your defined categorization level (Low, Moderate, or High), it’s time to work with a FedRAMP 3PAO to perform your Security Assessment. That’s where A-LIGN comes in. A-LIGN is an accredited FedRAMP 3PAO (third-party assessment organization) and one of the top 3 FedRAMP assessors in the world.
Here is a look at the step-by-step process you’ll need to complete to earn FedRAMP authorization with A-LIGN.
Before You Begin
This article is intended for companies that have already secured a sponsor and developed an SSP. If you haven’t yet done that, we recommend you take some time to research the FedRAMP process and potentially conduct a FedRAMP readiness assessment.
Research
At A-LIGN, we recommend organizations review the following materials to ensure they have a baseline level of knowledge to help prepare for the FedRAMP assessment process:
- Everything You Need to Know About FedRAMP
- 3 Tips to Prepare for FedRAMP Authorization
- FedRAMP: Understanding the Fundamentals (FAQ)
- FedRAMP for Cloud Service Providers – Top 4 Questions Answered
- CSP Authorization Playbook: Getting Started with FedRAMP
- FedRAMP Security Controls Baseline
- FedRAMP Marketplace Designations for Cloud Service Providers
- FedRAMP Initial Authorization Package Checklist
Readiness Assessment
Organizations that are familiar with the controls within NIST 800-53, and are FISMA certified, can jump right into the FedRAMP process. If you are not familiar with FISMA or FedRAMP, and have never written a system security plan, we recommend that you perform a FedRAMP readiness assessment, or gap assessment, to determine your level of readiness for the 3PAO assessment.
A-LIGN can conduct a readiness assessment for you, in which we will review your environment and determine if it is technically capable of meeting FedRAMP requirements. This is a great way to get a pulse on your current environment before investing time and resources into a full assessment.
Step 1. Pre-Assessment Review (1-4 Weeks)
If you are ready for an official assessment and have signed a contract with A-LIGN, then we’ll kick off our work with a pre-assessment review phase. During this phase, you will finalize the Cloud Service Offering System Security Plan — which you previously developed — and provide the SSP package (including all attachments) to A-LIGN for review.
We will use that information to perform a FedRAMP Pre-Assessment Review. During this review, we’ll ensure we have everything we need to proceed with the assessment without any delays. Keep in mind that the quality of the evaluation is dependent on the accuracy and volume of information you provide to us. The more you can provide, the better.
Once the review is complete and it has been determined you are ready for the FedRAMP assessment, we will schedule a kick-off meeting with you, and our team at A-LIGN to plan out the full assessment.
Step 2. Planning Activities (4 Weeks)
After the Pre-Assessment Review phase, you will need to submit responses to the initial Information Request List (IRL) that A-LIGN provides. While you are working on the IRL responses, we will submit a few materials to your sponsor to review. These include:
- An Authority to Test (ATT) – This is part of our penetration test planning.
- A Security Assessment Plan (SAP).
Step 3. Assessment Activities (7 weeks)
This is the longest phase of the FedRAMP process and consists of fieldwork. The fieldwork is split into phases where we interview members of your team about your cloud service offering and the security controls implemented and review the evidence confirming the proper implementation of FedRAMP security requirements. Keep in mind that we do not begin our evidence review until at least 90% of the IRL evidence is provided by your team. It’s important to plan ahead, so we can stay on schedule throughout the assessment process and avoid delays.
We will also conduct a penetration test at this time. The penetration test is required for all FedRAMP Authorization assessments for Moderate and High impact systems. Although the penetration test is not a requirement for FedRAMP Ready assessments, it is recommended as a safety net to eliminate any surprises we may encounter during the actual authorization testing.
Once we conduct the penetration test and get through a majority of the evidence review, we will analyze and discuss the findings with your team via a draft risk exposure table (RET). Once that draft RET is provided to your team, you can create a plan of action and milestones (POA&M) to remediate these issues.
Step 4. Reporting Activities (5 weeks)
Upon completion of our full evidence review and penetration test and any remediation to correct findings outlined in the draft RET, a draft Security Assessment Report and penetration test report will be provided for review.
We will analyze and discuss the findings with your team after the remediation period and before drafting a report for you. Once the final report is complete, it will be sent to your Sponsor who will review the SSP and the SAR together.
Step 5. Sponsor Issues Authority to Operate (2-3 weeks)
After the Sponsor completes their review, the Sponsor will issue an ATO and the FedRAMP Authorization Package will be sent to FedRAMP to review. Once FedRAMP’s review is complete, you will get your cloud solution offering’s official designation as a FedRAMP Authorized. FedRAMP will list your cloud solution offering as “Authorized” on the FedRAMP marketplace.
Step 6. Maintain Authorization
It’s important to remember that FedRAMP authorization is not a set-it-and-forget-it process. Ongoing assessments are required to maintain FedRAMP authorization, as annual assessments are required along with meeting FedRAMP continuous monitoring requirements with your Sponsor.
The A-LIGN team can provide annual assessments (including penetration testing, control assessments, systems scanning, and more) to ensure your cloud solution offering maintains FedRAMP compliance.
We can also conduct one-off assessments to ensure compliance after your organization undergoes major changes (like an acquisition). During a “Significant Change Request Assessment,” we will review and assess any significant changes that may impact your compliance with FedRAMP requirements.
For more information about what to expect after authorization, we recommend organizations review these materials from FedRAMP:
Get Started with A-LIGN
At A-LIGN, we are one of the top FedRAMP assessors in the world, with a 96% satisfaction rating from our customers. Our experts can help you through every step of the process — from a readiness assessment to final authorization.
Contact A-LIGN today to learn more about our FedRAMP services.
