It’s nearly impossible to read tech news today without encountering discussions about the cloud—and for good reason. Cloud computing has become an essential part of the modern technology landscape, making it hard to imagine a world without it. The ability to provision and manage networks, storage, and servers with just a few keystrokes is not only impressive, but also transformative. Cloud computing allows organizations of all sizes to be more agile and responsive to changing resource demands.
Just as cloud computing has revolutionized how businesses manage their infrastructure and operations, the federal government has also recognized its potential for transformation and cost savings in federal IT infrastructure.
The “Cloud First” mandate, along with subsequent directives from the Office of Management and Budget (OMB), requires federal agencies to prioritize cloud-based solutions whenever secure, reliable, and cost-effective options are available. This mandate underscored the need for secure and reliable cloud services within the federal government.
To address these concerns, the Federal Risk and Authorization Management Program (FedRAMP) was established. This program ensures that the cloud services used by the federal government meet stringent security and reliability standards. This blog post will define FedRAMP compliance and outline the various pathways to achieve it.
Achieving FedRAMP Compliance
For a commercial cloud service offering (CSO) to be utilized by a federal agency, it must demonstrate FedRAMP compliance. This means the CSO must meet the stringent government security requirements specified in NIST 800-53, as well as additional guidelines provided by the FedRAMP Program Management Office (PMO). In simpler terms, cloud service providers (CSPs) achieve FedRAMP compliance by obtaining a FedRAMP authorization, known as the Authority to Operate (ATO).
FedRAMP Compliance Requirements
Below are the high-level requirements to achieve FedRAMP compliance.
- Complete FedRAMP documentation including the FedRAMP SSP.
- Implement controls per FIPS 199 categorization.
- Have the CSO assessed by a FedRAMP Third Party Assessment Organization (3PAO).
- Remediate findings.
- Develop a Plan of Action and Milestones (POA&M).
- Obtain an authorization.
- Implement a continuous monitoring (ConMon) program to include monthly vulnerability scans.
Paths to Achieve a FedRAMP Authorization
There are two distinct paths to demonstrate FedRAMP compliance or obtain a FedRAMP authorization or ATO. The first path is to obtain a FedRAMP ATO directly from a federal agency. The second, and recently changed path, is to receive a FedRAMP P-ATO from the FedRAMP Board. The FedRAMP Board has recently replaced the Joint Authorization Board (JAB). One of the primary tasks is for the FedRAMP Board to work with federal agencies to expand the accreditation capacity, but it will take some time for these additional authorization paths to materialize.
An Agency FedRAMP ATO applies solely to the issuing agency. Possessing an Agency FedRAMP ATO does not authorize other agencies to use that CSO. Each federal agency has a unique risk tolerance, meaning that every agency evaluating a CSO for FedRAMP compliance will assess the CSO’s compliance level based on their specific risk appetite. Consequently, another agency with a more conservative risk tolerance is not obliged to accept an ATO from another agency and must issue their own FedRAMP authorization.
One of the core principles of FedRAMP is the “do once, use many times” approach regarding security assessments, authorization, and continuous monitoring of CSOs.
After a CSO receives a FedRAMP ATO from one agency, other federal agencies interested in using the CSO will evaluate the authorization package against their risk profile. They will determine if the security assessment and the resulting security posture of the FedRAMP-authorized CSO meets their risk tolerance. If it does, the second agency can issue its own FedRAMP authorization. If additional requirements and testing are necessary, they will be addressed to meet the second agency’s needs. Once these additional security requirements are satisfied, the second agency can issue its own ATO. Subsequent federal agencies leverage the existing authorization package to support issuing their own FedRAMP ATO. Click here for more information on Agency FedRAMP authorizations.
The FedRAMP Board
The new FedRAMP Board is comprised of members from across the government. The inaugural board members are from the Department of Defense, Department of Homeland Security, Department of Veterans Affairs, Department of the Air Force, the Cybersecurity and Infrastructure Agency, and the U.S. General Services Administration. One of the FedRAMP Board’s main tasks is to work with agencies to develop a method to perform joint and single-agency authorizations. Once these new authorization options are developed, the capacity for authorizations will increase.
FedRAMP Compliance Process: How Does a CSP Achieve Compliance?
Demonstrating FedRAMP compliance by obtaining an ATO is a rigorous process. CSPs, especially their management teams, must be fully committed before beginning this journey. CSPs will need to invest substantial time and resources, including personnel and financial commitments, to meet the stringent requirements. The following high-level steps from the FedRAMP Risk Management Framework outline the process to achieve FedRAMP compliance.
Document
Documenting the implementation of security controls and preparing for a FedRAMP ATO is a crucial step in the process. CSPs begin by categorizing their CSO in accordance with FIPS-199. The resulting categorization (Low, Moderate, or High) determines the applicable NIST 800-53 controls, along with FedRAMP supplemental controls.
CSPs should develop a roadmap to meet these controls, which may require architectural changes to their existing cloud offerings in the public sector. Each control’s implementation must be meticulously documented in the FedRAMP System Security Plan (SSP).
While the SSP is the foundational and complex document required, there are many other necessary documents, such as a contingency plan, incident response plan, and configuration management plan. CSPs should not underestimate the effort required to develop this documentation and implement the controls for the CSO. The quality of the documentation and the thoroughness of control implementation are crucial for ensuring a smooth assessment process.
Assess
Once the SSP and other required documentation are in place, reviewed, and approved, the assessment phase can begin. At this stage, a 3PAO will develop a Security Assessment Plan (SAP) that outlines the testing approach for the CSO.
After the SAP is approved by the CSP (and the federal agency for an agency ATO), the 3PAO will test the implementation of the controls and compile a Security Assessment Report (SAR). It is crucial to note that the security assessment must be conducted on a production-ready system; assessments cannot be performed on test or development systems.
Authorize
During this phase, the Security Assessment Report (SAR) is reviewed and approved by the federal agency (for agency authorization). Federal agencies may request additional testing before approving the SAR. Once the SAR is approved, an agency ATO letter is issued. The FedRAMP PMO then reviews the complete documentation set and will likely require documentation updates, additional testing, or additional evidence before they will recommend the CSO as FedRAMP authorized.
Continuous Monitoring
Once an initial ATO is achieved, the CSP enters the continuous monitoring phase. In this phase, the CSP ensures that the assessed controls continue to operate effectively. A subset of controls is monitored at specified intervals (e.g., continuously, monthly, annually), and compliance data is provided to the authorizing agency.
Additionally, monthly vulnerability scans are conducted on databases, servers, and web applications. 3PAOs are also required to perform an annual assessment of the CSO. For more information, read about the FedRAMP continuous monitoring process.
Summary
The FedRAMP compliance process is rigorous, but once a CSP obtains a FedRAMP ATO, significant opportunities open up for expanding their CSO across the federal government. As CSPs consider committing to the FedRAMP authorization process, they must decide whether an agency path is sufficient or whether the upcoming alternate authorization path is the best fit for them. If you would like to learn more about how Linford and Company can assist your organization regarding either FedRAMP advisory or assessment services, please contact us.
If you are looking for additional information regarding FedRAMP, read our other Linford blog posts here:
- What is FedRAMP? 5 Considerations Before Taking the Leap
- An Expert Guide to a FedRAMP Readiness Assessment
- FedRAMP vs. FISMA: What You Need To Know
This article was originally published on 9/19/2018 and was updated on 6/19/2024.
Ray Dunham started his career as an Air Force Officer in 1996 in the field of Communications and Computer Systems. Following his time in the Air Force, Ray worked in the defense industry in areas of system architecture, system engineering, and primarily information security. Ray leads L&C’s FedRAMP practice but also supports SOC examinations. Ray enjoys working with clients to secure their environments and provide guidance on information security principles and practices.