Everything You Need to Know About FedRAMP Authorization
It’s no secret that cyberattacks are on the rise. In fact, in June 2021 alone, more than 78.4 million ransomware attacks were attempted.
With the rise in attacks comes wariness from customers — no one wants to work with an organization that has an increased risk of falling victim to an attack. And when it comes to the Federal government that rings especially true.
The Federal government has put measures into place to help mitigate risk when working with partner organizations. In fact, these organizations are required to maintain certain cybersecurity standards and authorizations in order to do business with the Federal government.
One of those requirements is the Federal Risk and Authorization Management Program, also known as FedRAMP. In this post, we’ll provide you with everything you need to know about the FedRAMP authorization process.
With cyberattacks and cloud-based technologies on the rise, federal departments and agencies needed a cost-efficient and risk-based approach to cloud adoption.
This led to the creation of the Federal Risk and Authorization Management Program (FedRAMP) in 2011. FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring specifically for cloud products and services used by federal entities that store, process, and transmit federal information.
As a government cybersecurity framework, the goal of FedRAMP is to accelerate the adoption of secure cloud solutions through the use of assessments and authorizations. For organizations that achieve FedRAMP authorization, it’s a powerful validation of the security of the organization’s cloud solution.
Prior to FedRAMP, the U.S. government introduced the Federal Information Security Management Act of 2002, or FISMA.
FISMA is the law directing government agencies to develop and maintain an information security program. FedRAMP is a cloud-specific implementation of NIST RMF. Even though FISMA and FedRAMP use the same standard, utilizing the same controls set within NIST 800-53, the two have different authorization processes.
In order to bring together all of the FISMA-related security standards, NIST created the Risk Management Framework. Whereas FISMA establishes the requirements of an agency’s cybersecurity program, RMF helps determine how that program should review, assess, and approve IT systems for use.
We’ve established the difference between FedRAMP and FISMA, but there’s still another framework that FedRAMP shares many similarities with: The State Risk and Authorization Management Program (StateRAMP).
StateRAMP provides a comprehensive security framework designed to improve cloud security for state and local governments.
Like FedRAMP and FISMA, StateRAMP’s Security Assessment Framework process is also modeled after the National Institute of Standards and Technology (NIST) Risk Management Framework.
Despite the similarities, the two are not interchangeable. With StateRAMP, state and local governments have access to the continuous monitoring and security postures of their vendors. With FedRAMP, however, documentation is only visible to the federal agencies who work with providers.
For CSPs that do business with both federal and state/local government and are already FedRAMP authorized, StateRAMP has a reciprocity program that allows these organizations to take an accelerated path to StateRAMP authorization.
As more and more organizations seek business relationships with government agencies there is a greater need for confidence in the security of cloud solutions.
The goal of FedRAMP is to increase confidence in the security of cloud solutions through continuous monitoring and consistent use of best information security practices and procedures. This streamlined, regulated approach helps mitigate the risk of cyberattacks.
Federal agencies that host their technology in the cloud are required to use a FedRAMP certified Cloud Service Provider (CSP). If you are looking to do business with the government and host federal systems, then FedRAMP applies to your environment, and you will need authorization.
State government agencies may also require third-party CSPs to become FedRAMP certified.
How Do I Get FedRAMP Authorized?
FedRAMP is an integrative standardized assessment designed to be a common one-stop-shop for CSPs seeking to do business with the U.S. government.
There are two paths CSPs can take to achieve FedRAMP authorization:
- Through an agency sponsorship when a government entity vouches for a CSP, streamlining their approval process.
- Through the Joint Authorization Board (JAB). The JAB is the primary governance and decision-making body for FedRAMP.
Although organizations are able to choose which process they’d prefer to take, most organizations choose to achieve certification via agency sponsorship. This is because the JAB path is very competitive as they only select 12 systems per year (specifically, three per quarter).
Even though the authorization processes are similar, it is helpful to know a little more about the differences in each approach before starting on your authorization journey.
The JAB is the primary governing body for FedRAMP and includes the Department of Defense (DoD), Department of Homeland Security (DHS), and General Services Administration (GSA). The JAB selects approximately 12 cloud products a year to work with for a JAB Provisional Authority to Operate (P-ATO).
The JAB Authorization process involves:
- An evaluation via FedRAMP Connect
- Completing a readiness assessment
- Completing a full-security assessment
- Achieving authorization via the JAB
- Continuous monitoring post-authorization
In the Agency Authorization path, agencies may work directly with a CSP for authorization at any time. CSPs that make a business decision to work directly with an agency to pursue an ATO will work with the agency throughout the FedRAMP Authorization process.
The Agency Authorization process involves:
- An optional, yet highly recommended, readiness assessment
- Achieving agency authorization
- Continuous monitoring post-authorization
Regardless of which method you choose, the FedRAMP authorization process always involves:
- A Preparation Phase, where the provider completes a System Security Plan (SSP). After this, a FedRAMP-approved third-party assessment organization will develop a Security Assessment Plan.
- A Full Security Assessment, where the assessment organization submits a Security Assessment report and the provider creates a Plan of Action & Milestones PoAM). The security assessment involves evaluating a company’s policies and procedures against a set of requirements from the NIST 800-53 controls to test security authorizations. Once granted, continuous assessment and authorization guidelines must be in place to uphold authorization.
- Authorization, where the JAB/authorizing agency determines whether the risk as described is acceptable. If confirmed, they submit an ATO letter to the FedRAMP project management office. The provider is then listed in the FedRAMP Marketplace.
- Continuous Monitoring, where the provider sends monthly security monitoring deliverables to each organization using the service.
Why Is FedRAMP Authorization Valuable for CSPs?
Federal cloud spending has seen a meteoric rise in recent years. In fact, analysis from Deltek found that federal cloud spending reached nearly $11 billion in FY 2021, up more than 40% from the $7.6 billion spent in 2019. CSPs looking to capitalize on this trend should seek to achieve FedRAMP Authorization to Operate status.
In addition to creating additional business deals, FedRAMP can also be reused to sell to multiple agencies. In fact, if you already have FedRAMP authorization, it can simplify the certification process for other federal and defense programs, like the DoD’s Cloud Computing Security Requirements Guide (CC SRG)
There are many process-related terms that frequently come up in conversations about FedRAMP authorization. While many of these phrases have extensive amounts of granular, additional detail attached to them, a base-level understanding can help guide your decision-making as you determine whether or not your organization should attain FedRAMP authorization.
3PAO – Third-Party Assessment Organization
A Third-Party Assessment Organization (3PAO) is an organization that has been certified (ISO 17020) to help CSPs and government agencies meet FedRAMP compliance regulations. By utilizing FedRAMP approved templates, these organizations evaluate cloud-based providers’ systems to ensure transparency and consistency in data security strategies.
ATO – Authority to Operate
As part of the Agency authorization process, a Cloud Service Provider (CSP) works directly with the Agency sponsor to review the cloud service’s security package. After the security assessment is completed, the head of the Agency — or their authorized designee — can grant an ATO.
CSP – Cloud Service Provider
A Cloud Service Provider (CSP) is a company that offers some components of cloud computing to other businesses or individuals. CSPs make their offerings available as an on-demand, self-provisioning purchase or on a subscription basis.
FISMA – Federal Information Security Modernization Act of 2014
The Federal Information Security Modernization Act of 2014 (FISMA 2014) amends the Federal Information Security Modernization Act of 2002, which directed federal governments to implement specific cybersecurity programs.
The FISMA 2014 update:
- Codified the Department of Homeland Security (DHS) authority to administer the implementation of information security policies for non-national security federal Executive Branch systems.
- Amended and clarified the Office of Management and Budget’s (OMB) oversight authority over federal agency information security practices.
- Added a requirement for the OMB to amend or revise OMB A-130 to “eliminate inefficient and wasteful reporting.”
FISMA assigns responsibilities to a variety of agencies to ensure the security of data in the federal government, and has its own separate compliance standards.
JAB – Joint Authorization Board
The Joint Authorization Board (JAB) is the primary governance and decision-making body for the FedRAMP program. The JAB reviews and provides joint provisional security authorizations on cloud solutions using a standardized baseline approach. Members of the JAB include Chief Information Officers from the Department of Defense, the Department of Homeland Security, and the General Services Administration.
NIST 800-171 – National Institute of Standards and Technology (NIST)
The National Institute of Standards and Technology (NIST) is a physical science laboratory and a non-regulatory agency of the Department of Commerce. In particular, NIST 800-171 provides recommended requirements for protecting the confidentiality of controlled unclassified information.
Even with all of the benefits that come with FedRAMP authorization, it is a detailed and documentation heavy process. Here are some of the most common challenges organizations face in gaining FedRAMP authorization, along with solutions.
CSPs Might Not Know Authorization Is a Detailed Process
FedRAMP security standards are much more prescriptive compared to a more general security assessment, like SOC 2. You should be prepared to provide granular detail on how your organization meets FedRAMP standards.
In order to make the process easier, organizations should view past audit and assessment experiences as stepping stones that can help steer their FedRAMP journey along a smoother path. If you are uncertain of how to begin your authorization process, FedRAMP even has an official library of training resources.
CSPs Might Overlook the Benefits of Control Inheritance
In order to help reduce some of the preparation work for your FedRAMP authorization, you should try to inherit as many security controls as possible from your CSP organization’s underlying FedRAMP authorized infrastructure provider.
If you can have your product hosted on a platform (IaaS or PaaS) that is FedRAMP authorized, this may save you time and resources on control implementation and testing activities for those inherited controls.
Organizations Underestimate the Power of Automation
Automation has become a key tenet of FedRAMP’s efforts to make processes more efficient and reduce the burden on CSPs.
A cutting-edge compliance management platform can help your organization automate and streamline tedious and unnecessarily laborious tasks. For example, an end-to-end platform (such as A-SCEND), can centralize evidence collection across all audits and assessments so that you do not have to upload the same documents multiple times.
For the past several years, FedRAMP has been working with NIST to develop the Open Security Controls Assessment Language (OSCAL). This standard can help decrease how long it takes to review security packages, along with allowing CSPs and 3PAOs to carry out their own self-tests prior to submission.
What’s New with FedRAMP in 2022
At the end of last year, FedRAMP released a draft of their Revision 5 (Rev 5) baselines. The final Rev 5 baselines and transition plan to Rev 5 are expected at the end of this year or early in 2023.
The biggest difference between the Rev 4 and Rev 5 baselines is that FedRAMP has introduced a threat-based methodology to determine which controls should be added on to the established NIST 800-53 Rev 5 baselines.
The Updated Readiness Assessment Report
FedRAMP Readiness Assessment Report (RAR) is what CSPs use to determine whether or not they are ready to undergo the extensive FedRAMP authorization process.
A 3PAO will leverage the RAR to document and validate a CSP’s full implementation of the technical capabilities required to meet FedRAMP security requirements.
However, it is important to note that although a Readiness Assessment is intended to determine a CSP’s readiness to achieve FedRAMP authorization, it does not guarantee it. CSPs can use the process as an opportunity to discover and remediate any deficiencies in the organization’s capabilities, as well.
Completing a RAR consists of:
- Confirming full implementation of the Cloud Service Offerings’ (CSO) technical capabilities
- Understanding how the CSO works and operates
- Validating what is implemented within the cloud service offering
- Understanding the key functionalities of the CSO and document the RAR in a way that is comprehensible by agency customers that may not have a strong technical background
- Verifying that the stated authorization boundary of the CSO and the data flows within the system are practical, secure, and logical
FedRAMP was originally launched in 2011 as a way for the U.S. government to manage security risks as they adopt products and services that store, process, and transmit federal information in the cloud. However, organizations across the globe can still benefit from FedRAMP authorization.
As the global market enters another period of uncertainty, many organizations are looking to secure new business deals in hopes of strengthening their customer base. If international businesses want to sell a CSO to the U.S. government, they should consider pursuing FedRAMP authorized status.
International organizations seeking FedRAMP authorization will follow the same steps as U.S.-based organizations seeking authorization, having the option of either choosing the JAB process or authorization via an agency.
Beginning the Authorization Process
FedRAMP can help organizations win more business and stand out from their competition, but the approval process can be rigorous.
As a CSP, you must implement the appropriate FedRAMP controls before you can begin the FedRAMP authorization process. Whether you seek authorization via an agency or through the JAB, it is important to ensure you have a trusted resource to help guide you through the process.
A-LIGN is a top five accredited FedRAMP 3PAO, having helped organizations worldwide achieve full FedRAMP authorization.
If you are a CSP currently providing, or seeking to provide, services to federal agencies, speak to an expert at A-LIGN about the FedRAMP authorization process.