An Introduction To The Federal Risk and Authorization Management Program (FedRAMP)

The term “the cloud” has become common vernacular in today’s tech industry, and consumers are becoming more and more aware of the term as well. A vast majority of consumers use cloud services without even knowing it. Cloud services are here to stay and are becoming more pervasive in our daily online routine.

There are many significant advantages to cloud computing:

  • Resources are on demand and rapidly provisioned
  • Capabilities provided are elastic, in that as resource needs change, the computing capacity can change with it
  • Resources are pooled and are hence able to service many customers
  • Costs are reduced as “in house” computing resources are shifted to the cloud and no longer require personnel to maintain the computing environment thus allowing them to focus on other strategic initiatives
  • Enterprises can focus on their primary business and innovation

Recognizing the benefits of cloud computing and the need to reduce federal IT expenditures, the U.S. Chief Information Officer, Vivek Kundra, released on December 9, 2010 the 25 Point Implementation Plan to Reform Federal Information Technology Management. As part of this implementation plan, the “Cloud First” policy was introduced. The “Cloud First” policy had a three-pronged approach: “[use] commercial cloud technologies where feasible, [launch] private government clouds, and [utilize] regional clouds with state and local governments where appropriate.” Also as part of the policy, OMB required that “agencies default to cloud-based solutions whenever secure, reliable, cost-effective cloud options exist.”

On February 8, 2011, Vivek Kundra released the Federal Cloud Computing Strategy to address “inefficiencies and [improve] government service delivery” to the public. The strategy required agencies to “re-evaluate [their] technology sourcing strategy to include consideration and application of cloud computing solutions as part of their budget process” and “modify [their] IT portfolios to take advantage of the benefits of cloud computing.”

Since the release of the Federal Cloud Computing Strategy in early 2011, the government has increased its investment into cloud services at a steady rate. In FY 2016, the federal government targeted 8.5% of all IT spending to be directed on cloud services (Click Here) and spending is expected to increase over the next several years as well, to the point where spending on cloud technologies could reach or exceed half of an agency’s IT budget.

With the adoption of cloud services within the government came the introduction of the Federal Risk and Authorization Management Program (FedRAMP). The FedRAMP program was introduced in a December 8, 2011 memorandum to the Chief Information Officers of Federal Agencies from the Federal Chief Information Officer, Steven VanRoekel. One goal of the FedRAMP program was to “provide a cost-effective, risk-based approach for the adoption and use of cloud services.”

To facilitate the adoption of cloud services, the assurance of secure systems was critical. For decades, the certification and accreditation of systems within the government was stove-piped, in that each federal agency was responsible for certifying and accrediting the systems it used in accomplishment of its mission. This approach engendered much redundancy and some nuanced or tailored approaches to certification and accreditation of federal systems. In addition, there was no incentive for reciprocity across federal agencies where one agency would accept an Authorization to Operate (ATO) for a system issued by another agency.

Another primary goal of FedRAMP is to address the issue of the lack of reciprocity across federal agencies as well as reduce the time, financial and resource commitments for redundant efforts. They do this through a “do once, use many times” model for security assessments, authorization and continuous monitoring of cloud systems.

While FedRAMP has significantly standardized the security assessment, authorization and continuous monitoring across the federal agencies, it does still allow for some “agency unique” requirements. Standardization across federal agencies for anything is an extremely difficult task. In today’s cyber security sensitive environment, standardizing the approach to security and risk management is that much more challenging, especially when applied to cloud environments. FedRAMP, though, attempts to standardize the application of FISMA security controls (i.e. NIST 800-53 security controls) to cloud service providers (CSP).

FedRAMP defines three primary players in the process:

  • Cloud Service Providers (CSP): CSPs provide secure cloud services (e.g. software as a service (SaaS) to federal agencies. They are responsible for meeting the security requirements, to include documentation and continuous monitoring, outlined by FedRAMP. CSPs contract with 3PAOs for assessment of their services against the FedRAMP requirements.
  • Third Party Assessment Organizations (3PAO): 3PAOs provide an initial assessment of the CSP’s compliance to the FedRAMP requirements. They also perform additional assessments over time to ensure continued compliance and maintenance of the security posture of the CSP service.
  • Federal Agencies: Federal agencies identify cloud solutions to support their mission and business processes. They are responsible for ensuring that the cloud services they leverage to process, store or transmit government data meet the FedRAMP baseline security controls. They complete the risk review of the cloud service and issue an Agency Authorization to Operate (ATO) for the cloud service.

The FedRAMP Program Management Office (PMO) also plays an essential role in the process by providing oversight of the FedRAMP processes, developing standards and templates, coordinating with CSP throughout the process, evaluating CSP readiness for the FedRAMP process, maintaining the repository of security documentation for CSPs, etc.

Achieving an ATO, whether issued by a federal agency or the Joint Authorization Board, is a challenging but rewarding accomplishment that provides business opportunities across the Federal government. It signifies a mature IT governance process and an implementation of extensive security controls throughout the system.

The assessment of FedRAMP security controls and supporting documentation, policies and procedures should be conducted by an independent assessor with a background and experience with the FedRAMP controls, the assessment processes and the ability to document compliance with the controls. Linford & Co personnel have over 20 years of combined experience leading successful security engineering efforts for highly complex programs supporting the acquisition, processing and reporting of satellite data for the Department of Defense and Intelligence agencies. We have submitted our application to become an accredited 3PAO and project completion of the effort in early 2017. Please contact us if you’d like to know more about the FedRAMP process and also see the related blog post FedRAMP Continuous Monitoring — What Are the Responsibilities of the CSP and 3PAOs?