As an information security and audit firm focused on the compliance needs of service providers, A‑LIGN’s accreditation as a FedRAMP third party assessment organization (“3PAO”) is a natural fit with our existing service offerings. Since becoming a FedRAMP 3PAO, we have noticed a trend in client calls stating their customers are inquiring about FedRAMP or that FedRAMP is being discussed during the sales cycle with prospective customers. With that being said, I thought it would be beneficial to outline the most common FedRAMP questions we have received with detailed responses.
What is FedRAMP and does it apply to me?
As explained by FedRAMP on their website, “The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework that saves money, time, and staff required to conduct redundant agency security assessments.”
Federal agencies that host their technology in the Cloud are required to use a FedRAMP certified Cloud Service Provider (“CSP”). Although FedRAMP is designed specifically for Federal agencies, we are finding that many State governments are also inquiring about FedRAMP when working with our CSP clients. Another alternative State governments are considering is StateRAMP.
If you are hosting Federal systems or if this is a primary focus of your growth strategy then FedRAMP applies to your environment.
Why was FedRAMP developed?
FedRAMP defines the program goals and benefits on their website as:
- Accelerate the adoption of secure cloud solutions through reuse of assessments and authorizations
- Increase confidence in security of cloud solutions
- Achieve consistent security authorizations using a baseline set of agreed upon standards to be used for Cloud product approval in or outside of FedRAMP
- Ensure consistent application of existing security practices
- Increase confidence in security assessments
- Increases re-use of existing security assessments across agencies
- Saves significant cost, time and resources – “do once, use many times”
- Improves real-time security visibility
- Provides a uniform approach to risk-based management
- Enhances transparency between government and cloud service providers (CSPs)
- Improves the trustworthiness, reliability, consistency, and quality of the Federal security authorization process
You will notice that “increased security” and “reduced cost” are the primary drivers behind each point in the FedRAMP table.
As Federal agencies adopt the Cloud computing model they reap the same benefits as the private sector and are also exposed to the same risks when outsourcing the information technology function. FedRAMP addresses these goals by establishing a standard set of security controls that allow Federal agencies to take advantage of the Cloud.
How do I become FedRAMP certified?
When the ATO letter is received, the following steps, outlined below, are performed to get to a FedRAMP Authorized designation.
- Step 1: CSP and 3PAO upload current versions of package deliverables to secure repository
- Step 2: CSP completes and submits FedRAMP Initial Authorization Package Checklist to [email protected]
- Step 3: PMO verifies that all package deliverables are uploaded
- Step 4: Package is placed in the PMO Review Team’s queue and reviewed in the order they are received. Note- package review typically takes 10 business days
- Step 5: PMO review team sends draft Review Report to all stakeholders (CSP, 3PAO, agency)
- Step 6: CSP/3PAO address findings and resubmits package; notifies [email protected]
- Step 7: PMO performs gap review
The FedRAMP Marketplace is updated once a CSO earns FedRAMP Authorization. The FedRAMP PMO will make the CSO security package available to the Federal government but due to the sensitive nature of the information, it’s controlled using a request form and will require the PMO’s approval.
The documenting security controls phase includes completing the templates provided by FedRAMP. The System Security Plan template alone is over 300 pages. If all controls are already in place, this will be a significant documentation exercise, however, if the controls are not in place or the security processes have not been implemented, the controls should be implemented prior to completing the documentation. Many companies are electing to obtain outside assistance with the documentation phase due to the level of effort required.
The security testing phase is performed by a FedRAMP 3PAO, like A-LIGN, following the prescribed testing procedures provided by FedRAMP. To ensure a consistent level of information security controls and auditing, the testing procedures are very prescriptive and comprehensive.
How do I get started?
There are several routes you can take to FedRAMP certification, but they all depend on your current level of compliance with NIST 800-53. For organizations that are familiar with the controls and are possibly FISMA certified, you may choose to jump right in to the FedRAMP process. However, if you are not familiar with FISMA or FedRAMP and have never written a system security plan we recommend that you evaluate your current controls and processes against the FedRAMP requirements and create a project plan to prepare you for the FedRAMP authorization process. Also, you may elect to perform a FedRAMP readiness assessment, or gap assessment, to determine your level of readiness for the 3PAO assessment.
Whatever your path or level of readiness we recommend that you research and ask questions to understand the impact of FedRAMP on your business and the level of effort required to reach your goal.