It is hard to read tech news today without coming across something regarding the cloud – and rightfully so. The cloud (or cloud computing) has become such an integral part of today’s technology world that it is hard to imagine where we would be without it. The ability to provision and promote to operations networks, storage, servers, etc. with a few keystrokes is well, really cool. Beyond being cool, though, cloud computing enables organizations of all sizes to be more nimble and responsive as resource demands for their service fluctuate.
Just as cloud computing has transformed how many companies manage their infrastructure and do business, the federal government recognizes the impact cloud computing can have in transforming how they do business as well as how they can save money on federal IT infrastructure.
- With the “Cloud First” mandate and subsequent direction from the OMB, federal agencies are to “default to cloud-based solutions whenever secure, reliable, cost-effective cloud options exist.”
- With the “Cloud First” mandate, there was a critical need to ensure the cloud services leveraged by the federal government were secure and reliable
The Federal Risk and Authorization Management Program (FedRAMP) was established to address the security and reliability of cloud services used by the federal government. This blog post will define FedRAMP compliance and outline the different paths to become FedRAMP compliant.
What Is FedRAMP Compliance?
In order for a commercial cloud service offering (CSO) to be used by a federal agency, the CSO must demonstrate FedRAMP compliance which is the ability to substantiate adherence to government security requirements outlined in NIST 800-53 and supplemented by the FedRAMP Program Management Office (PMO). In simpler terms, cloud service providers (CSP) demonstrate FedRAMP compliance by obtaining a FedRAMP authorization, or FedRAMP Authority to Operate (ATO).
FedRAMP Compliance Requirements
Below are the high-level requirements to achieve FedRAMP compliance:
- Complete FedRAMP documentation including the FedRAMP SSP
- Implement controls in accordance with FIPS 199 categorization
- Have CSO assessed by a FedRAMP Third Party Assessment Organization (3PAO)
- Remediate findings
- Develop Plan of Action and Milestones (POA&M)
- Obtain Agency ATO or Joint Authorization Board (JAB) Provisional ATO (P-ATO)
- Implement a Continuous Monitoring (ConMon) program to include monthly vulnerability scans
What Are the Different Paths to Achieve FedRAMP Compliance?
There are two distinct paths to demonstrate FedRAMP compliance or obtain a FedRAMP authorization or ATO. The first path is to obtain a FedRAMP ATO directly from a federal agency. The second, and more difficult, path is to receive a FedRAMP P-ATO from the JAB.
What is the Difference Between an Agency and JAB Authorization?
The primary difference between an Agency FedRAMP ATO and a JAB P-ATO is the scope of the authorization, or ATO.
An agency FedRAMP ATO is applicable to that agency only; having an Agency FedRAMP ATO does not mean that other agencies are authorized to use that CSO. Each federal agency has a different risk appetite, so each federal agency evaluating a CSO for FedRAMP compliance and eventual authorization will evaluate the CSO’s level of compliance in accordance with their specific risk appetite. Another federal agency may have a more conservative risk appetite, so they are not obligated to accept the FedRAMP ATO from another agency. They would be responsible for issuing their own FedRAMP authorization, or ATO.
One of the primary tenants of FedRAMP is “do once, use many times” regarding security assessments, authorization, and continuous monitoring of CSOs.
Once a CSO has a FedRAMP ATO with an agency, other federal agencies that want to use the CSO will evaluate the authorization package against their risk profile and determine if the security assessment and resulting security posture of the FedRAMP authorized CSO is sufficient to meet their risk tolerance. If it is, the second federal agency can issue their own FedRAMP authorization. If additional requirements and testing are needed, then those additional requirements will be addressed and tested sufficient to meet the needs of the second federal agency.
When the additional security requirements are met, the second federal agency can issue a FedRAMP ATO from their organization. Once an agency FedRAMP ATO is obtained, any subsequent federal agency can leverage that authorization package in support of issuing their own FedRAMP ATO for their agency. Most FedRAMP authorizations follow this agency path. You can find out more about Agency FedRAMP authorizations here.
The JAB is made up of representatives from the Department of Defense (DoD), the Department of Homeland Security (DHS), and the General Services Administration (GSA) and serves to represent all federal agencies when it comes to evaluating the security posture of CSPs. However, the JAB cannot accept risk for any federal agency. Therefore the ATO issued by the JAB is provisional meaning that the risk posture of the CSO has been reviewed and approved by the JAB, but each federal agency is still responsible for issuing an agency ATO demonstrating their acceptance of risk regarding the use of a particular CSO.
Since a JAB P-ATO essentially represents the most stringent of FedRAMP authorizations, additional security testing is not required before a federal agency issues their own ATO. Go here to find out more regarding JAB provisional authorizations.
FedRAMP Compliance Process: How Does a CSP Achieve Compliance?
Whether through the agency path or the JAB path, demonstrating FedRAMP compliance through obtaining an agency ATO or a JAB P-ATO is a rigorous process, and CSPs (especially management) must be “all in” before starting the process. CSPs will be required to commit significant time and resources (personnel and financial) to the process. The following high level steps from the FedRAMP Risk Management Framework outline the process to achieve FedRAMP compliance.
Document
Documenting the implementation of the security controls and preparing for a FedRAMP ATO is a crucial step in the process. CSPs start this process by categorizing their CSO in accordance with FIPS-199. The resulting categorization (Low, Moderate, or High) will determine the associated NIST 800-53 controls (and FedRAMP supplemental controls) that will apply to the CSO.
CSPs should develop a roadmap to meet the controls as it may require architectural changes to their existing cloud offering in the public sector. How each control is implemented must be documented in detail in the FedRAMP System Security Plan (SSP).
While the SSP is the foundational (and complex) document required in the process, there are other many other documents that are also required such as a contingency plan, incident response plan, and a configuration management plan, just to name a few. CSPs should not underestimate the effort it takes to develop the documentation and implement the controls for the CSO. The quality of the documentation and the thoroughness in which the controls are implemented will go a long way in ensuring a smooth assessment process.
Assess
Once the SSP and other required documentation is in place, reviewed, and approved the assessment phase can begin. At this point, a third party assessment organization (3PAO) will develop a security assessment plan (SAP) which outlines the testing approach for the CSO.
Once approved by the CSO (and federal agency for an agency ATO), the 3PAO will test the implementation of the controls and develop a security assessment report (SAR). It is important to note that the security assessment must be performed on a production ready system. Assessments cannot be performed on a test or development system.
Authorize
During this phase, the SAR is reviewed by the federal agency (for an agency authorization) and approved. Federal agencies may require additional testing before approving the SAR. Once the SAR is approved an agency ATO letter (for the agency path) is issued and uploaded to a secure repository with all other required documentation. The FedRAMP PMO then reviews the documentation set and makes a decision regarding the FedRAMP authorization.
Continuous Monitoring
Once an initial agency ATO or JAB P-ATO is achieved, the CSP enters the continuous monitoring phase. During this phase the CSP ensures that the controls that were assessed continue to operate effectively. A subset of controls are monitored at specified intervals (e.g. continuous/ongoing, monthly, annually) and data regarding compliance is provided to the authorizing agency.
Monthly vulnerability scans are also executed against the databases, servers, and web applications. 3PAOs are also required to execute an annual assessment of the CSO. Read more about the FedRAMP continuous monitoring process.
Summary
The FedRAMP compliance process is rigorous, but once a FedRAMP agency ATO or JAB P-ATO is obtained, the CSP has significant opportunities to expand their CSO throughout the rest of the federal government. As CSPs contemplate committing to the FedRAMP authorization process, they will need to decide whether the agency or JAB path is right for them. My next blog post will address this topic and provide insight as to which path may be right for your organization. If you would like to learn more about how Linford and Company can assist your organization regarding either FedRAMP advisory or assessment services, please contact us.
If you are looking for additional information regarding FedRAMP, read our other blog posts here:
- The FedRAMP SSP: Important Tips for a Successful Outcome
- An Introduction to the Federal Risk and Authorization Management Program
- An Expert Guide to a FedRAMP Readiness Assessment
Ray Dunham started his career as an Air Force Officer in 1996 in the field of Communications and Computer Systems. Following his time in the Air Force, Ray worked in the defense industry in areas of system architecture, system engineering, and primarily information security. Ray leads L&C’s FedRAMP practice but also supports SOC examinations. Ray enjoys working with clients to secure their environments and provide guidance on information security principles and practices.