A FedRAMP Readiness Assessment is an opportunity for Cloud Service Providers (CSP) targeting government clients to demonstrate that they are ready to begin the FedRAMP process in earnest. With the end goal being a Provisional ATO (P-ATO) from the Joint Authorization Board (JAB) or an ATO granted by a Federal Agency, CSPs, through the Readiness Assessment process, signify that their service offering implements key specified technical controls and is at a level of maturity to start the FedRAMP authorization process.
This guide will help you and your organization determine whether or not you should pursue a FedRAMP Readiness Assessment and what to keep in mind as you prepare.
What is FedRAMP?
Each year, the government targets more of its IT expenditures toward commercial cloud services. Security is always a concern when moving government services to the cloud. The Federal Risk and Authorization Management Program (FedRAMP) is the government program instituted to address the security of commercial cloud service providers and help government Authorization Officials (AO) manage risk in a cloud-based environment.
FedRAMP employs independent Third Party Assessment Organizations (3PAO) to assess the security of the commercial cloud service providers against the NIST 800-53 security control catalog and additional FedRAMP requirements. Based on the assessment, Federal AOs can determine whether the risk is acceptable to allow the system to process its agency’s data. If the risk is acceptable, the CSP receives an ATO and is allowed to provide cloud services to that Federal Agency. These ATOs can be leveraged from one Federal Agency to another, thus decreasing the effort and financial investment required to obtain an authorization and provide services to multiple Federal Agencies. Each agency must assess risk and subsequently grant an ATO based on acceptable risk levels.
Learn more in our article, titled What is FedRAMP?
What Are the FedRAMP Levels?
Instead of using the term “levels,” systems are categorized as High, Moderate, or Low. Based upon the Federal Information Processing Standards Publication (FIPS Pub)-199, Standards for Security Categorization of Federal Information and Information Systems, each system that processes, stores, or transmits federal data will be categorized based on information type (e.g., medical, financial, privacy, security management, investigative, etc.). In general, each information type has an identified impact (low, moderate, or high) on availability, confidentiality, and integrity. For information systems, each information type on the system is considered, and the high water mark of the combined information type is what is assigned for availability, confidentiality, and integrity security objectives. The categorization of the information system is then the associated high water mark of the roll up of each of the security objectives. The resulting categorization would be along the lines of, for example, Confidentialtity-moderate, Integrity-moderate, Availability-moderate, or M-M-L. From a FedRAMP perspective, the resulting categorization for the system would be Moderate, and the system would be assessed as a FedRAMP moderate system. The vast majority of FedRAMP authorized systems are categorized as FedRAMP moderate.
What Is FedRAMP Ready?
FedRAMP Ready is essentially a status on the FedRAMP Marketplace that is granted to CSPs who have successfully completed a FedRAMP Readiness Assessment. Depending on the authorization path, a FedRAMP Readiness Assessment is an early step in the FedRAMP process flow, where a FedRAMP authorized 3PAO performs an abbreviated assessment and completes a FedRAMP Readiness Assessment Report, or FedRAMP RAR. The FedRAMP RAR covers topics such as boundary validation, policy and procedure status, assessment of mandatory technical requirements, change management maturity, vendor dependencies, etc.
How Do You See If You Are FedRAMP Ready?
A CSP is not granted FedRAMP Ready status until the FedRAMP RAR has been reviewed and approved by the FedRAMP PMO. Once the FedRAMP PMO approves the FedRAMP RAR, then the CSP will be placed on the FedRAMP marketplace with the status of FedRAMP Ready.
Do You Need A FedRAMP Readiness Assessment?
FedRAMP Readiness Assessments are required for those CSPs seeking a JAB P-ATO, but they are not required for CSPs seeking an ATO from one of the Federal Agencies. While it is true that FedRAMP Readiness Assessments are not required as part of the Federal Agency ATO process, the FedRAMP PMO strongly encourages CSPs to consider having a readiness assessment performed. Why? Read on.
How Will a FedRAMP Readiness Assessment Help You As a CSP?
Whether required or not, performing a FedRAMP Readiness Assessment can help a CSP in the following ways:
- Obtaining the “FedRAMP Ready” status from the FedRAMP PMO signals to potential Federal Agency clients that a given CSP is serious about obtaining a FedRAMP authorization. You cannot achieve FedRAMP Ready status without a significant commitment to the process and a system that has demonstrated compliance with specific technical FedRAMP requirements.
- Obtaining the FedRAMP Ready status will demonstrate that the CSP is on the right track regarding the level to which the FedRAMP requirements are implemented. With a large percentage of the technical controls, there are varying degrees of breadth and depth to which the control can be implemented. Let’s use auditing as an example. Is auditing enabled at just the primary components of the CSP offering (e.g. the custom application) or at every component within the service offering (e.g. custom application, operating systems, databases, application servers, etc.)? How mature is the process to review, analyze, and report on the audit data collected? Are all logs aggregated to a central location and analysis performed using automated mechanisms that correlate audit events and alert on suspicious events? Or are only a portion of the audit logs analyzed for suspicious events without an alerting capability? The maturity level to which a CSP implements a control is a significant indicator when determining their FedRAMP readiness.
- If a CSP does not currently have a Federal Agency with which they are partnering in the FedRAMP process, being FedRAMP Ready strengthens a CSP’s marketing position in order to sell to Federal Agencies. Please note that being “FedRAMP Ready” does not mean that your service offering is ready to be used by Federal Agencies. It is, though, an indicator that CSPs are likely to either be granted a P-ATO by the JAB or an ATO by a Federal Agency. The FedRAMP Ready status is valid for one year at which time the CSP must demonstrate a partnering relationship with a Federal Agency, be prioritized by the JAB, or undergo another readiness assessment. Demonstrating FedRAMP Readiness is a significant differentiator between CSPs.
What Can You Expect From A FedRAMP Readiness Assessment?
The readiness assessment process is a fairly significant departure from the “traditional” FedRAMP assessment process. Whereas the traditional FedRAMP process necessitates that the volumes of required documentation be complete upfront, a FedRAMP Readiness Assessment concentrates on the security capabilities currently operating in the system. Policies and procedures should be completed. While the documentation in the System Security Plan (SSP) of how each control is implemented within the system does not have to be complete, CSPs should demonstrate they have started the process and understand the level to which they need to document their control implementations.
In order to attest to a CSP’s FedRAMP readiness, 3PAOs must perform a certain level of testing and observation vice relying solely on what is documented by the CSP. The 3PAO will also conduct in-person interviews with the CSP technical and security teams to determine the operational maturity of the CSP. Therefore, at least one onsite visit is required.
What Areas Should CSPs Focus On When Preparing For A FedRAMP Readiness Assessment?
While CSPs must understand and address all the FedRAMP Readiness Assessment requirements, below are five key areas to focus on during preparation for the assessment:
- Federal Requirement Mandates: There are five Federal Requirement Mandates that CSPs must meet, or CSPs cannot be assessed as FedRAMP Ready. Since these are mandatory, CSPs must ensure these are met before starting a FedRAMP Readiness Assessment. The Federal Requirement Mandates, as defined in the FedRAMP Readiness Assessment Report template, are the following:
- Are FIPS 140-2 Validated or National Security Agency (NSA)-approved cryptographic modules consistently used where cryptography is required?
- Can the system fully support user authentication via Agency Common Access Card (CAC) or Personal Identity Verification (PIV) credentials?
- Is the system operating at eAuth Level 3 or higher?
- Note: eAuth Level 3 means that there is high confidence that the asserted identity during the identification and authentication process is valid.
- Does the CSP have the ability to consistently remediate High vulnerabilities within 30 days and Moderate vulnerabilities within 90 days?
- Do the CSP and system meet Federal Records Management Requirements, including the ability to support record holds, National Archives and Records Administration (NARA) requirements and Freedom of Information Act (FOIA) requirements?
- Boundary definition: In order to successfully assess a system, there must be a clear understanding of the scope of the components inside and outside the system boundary. If the system boundary is not clearly understood and documented, a system component could go unassessed thus resulting in a potential vulnerability or attack vector within the system. Discovery scans will be executed to validate the system boundary.
- Data flow diagrams: Much like having a firm understanding of the system boundary, it is also very important to accurately define how federal data flows into, through, and out of the system. Security controls must be applied to safeguard the data during processing, transmission, and storage. Therefore, the diagrams depicting the flow of data through the system must be accurate.
- Multi-factor authentication: Put simply, passwords alone are a poor authentication mechanism. Multi-factor authentication is mandatory for privileged accounts and should be enabled for all system users.
- Segregation/isolation of users and data: CSPs must be able to demonstrate that their system enforces the segregation of users and data. All access to data must be from authorized sources and data must be logically segregated within the data store. This also includes restricting the flow of information to only authorized locations internal or external to the information system.
How Long Does a FedRAMP Readiness Assessment Take To Complete?
While not as extensive as the full assessment, a FedRAMP Readiness Assessment is still a rigorous process. Technical implementations for key FedRAMP requirements must be operating effectively within the system. So how long does it take? The FedRAMP PMO estimates that the FedRAMP Readiness Assessment process should take between two to four weeks for a “mid-size, straightforward system” divided roughly half between 1.) testing and information gathering and 2.) analysis of the results and report writing.
There is an important caveat to the question on timing, though – the FedRAMP PMO also does not expect all CSPs to pass the readiness assessment the first time. The readiness assessment process will likely identify gaps that need to be addressed by the CSP. This will naturally lengthen the process. Once the gaps have been addressed satisfactorily, the 3PAO will submit the FedRAMP Readiness Assessment Report (FedRAMP RAR) to the FedRAMP PMO.
FedRAMP assessments are only required for CSPs pursuing the JAB path for authorization, but they are recommended for CSPs working to achieve a Federal Agency authorization because it demonstrates the high likelihood that the CSP will successfully complete the full FedRAMP assessment and achieve FedRAMP authorization.
Achieving a FedRAMP Ready status differentiates CSPs within the federal marketplace. To increase the likelihood of success the first time, CSPs must have a firm understanding of all the assessment requirements and ensure Federal mandates, boundary and data flow definition, multi-factor authentication, and client and data segregation are clearly addressed and implemented.
If you are interested in learning more about FedRAMP or FedRAMP Readiness Assessments, contact us.
Looking for more information about FedRAMP? Read An Introduction To The Federal Risk and Authorization Management Program (FedRAMP).
Ray Dunham started his career as an Air Force Officer in 1996 in the field of Communications and Computer Systems. Following his time in the Air Force, Ray worked in the defense industry in areas of system architecture, system engineering, and primarily information security. Ray leads L&C’s FedRAMP practice but also supports SOC examinations and HITRUST assessments. Ray enjoys working with clients to secure their environments and provide guidance on information security principles and practices.