A simple FedRAMP definition is that FedRAMP is a government program designed to bring consistent and repeatable processes to security evaluations of cloud service offerings (CSO) for the federal government. The FedRAMP authorization process is designed to leverage a single security assessment for multiple federal agencies that would like to use the CSO.
FedRAMP is becoming more well known among Cloud Service Providers (CSP) and even government agencies themselves. As of the writing of this article, there are over 150 federal agencies that are leveraging at least one CSO. Less than a year ago, there were approximately 100 FedRAMP authorized CSOs, which averaged out to be approximately 20 over the first 5 years of the FedRAMP program. Now, there are 128 FedRAMP authorized CSOs with 73 additional in progress.
Cloud services provide core computing capabilities to the world’s largest companies, and their use is becoming more widely accepted. The security of cloud services has always been a concern, but in my opinion, cloud services are proving that they can provide security as well as critical functionality. This article will provide information on some of the fundamental information an organization should understand before taking the plunge into the FedRAMP pool.
1. Is the FedRAMP Process Rigorous?
In a word, yes. With more than a decade’s worth of experience in security engineering and certification and accreditation in the Intel and DoD community, I can say without a doubt that the FedRAMP compliance process is more rigorous than other programs I’ve supported. From my perspective, the primary reason for this is that the overall FedRAMP process needs to be comprehensive enough to address the needs of all federal organizations from a traditional “certification and accreditation” perspective.
This is important from the perspective that one of the main purposes of FedRAMP is the “do once, use many” concept in that a CSP can go through the process once with either the FedRAMP JAB, or Joint Authorization Board, or an individual federal agency, and the authorization received can be leveraged by subsequent federal agencies that want to use the CSP’s services. Therefore the overall process needs to meet the needs of all federal agencies and be repeatable.
When I supported various Intel agencies, the certification and accreditation processes were different. With FedRAMP, there is one process. It is standardized and repeatable, so CSPs don’t have to be concerned about having to follow a different process if they wish to provide services to multiple federal agencies.
Another key element adding to the rigor of the process is the sheer number of FedRAMP security controls. Put simply, CSOs are categorized as low, moderate, or high. The vast majority of systems are categorized as FedRAMP moderate or FedRAMP high.
- With a FedRAMP moderate baseline, there are 325 security controls of which many of those controls have multiple subparts.
- For a FedRAMP high baseline, there are 421 controls, again with many of the controls having multiple subparts.
The sheer number of controls is the primary contributor to the rigorous nature of the process. Documentation is the other element that adds to the rigor of the process. As a result, a FedRAMP assessment is multiple orders of magnitude more rigorous than a traditional System and Organization Control (SOC) audit.
2. How Much Documentation is There?
I think this is one area that really catches CSPs by surprise. Put simply, there is a ton of documentation required. Again, since the process needs to essentially meet the needs of all federal agencies, the level of documentation required also needs to also be extensive enough to cover the bases for all federal agencies.
The core document is the System Security Plan, or SSP. It is not unusual for this document to be several hundred pages long. The reason for this is that the SSP needs to describe specifically how each control is implemented within the system.
In most cases, FedRAMP 3PAOs, or Third Party Assessment Organization, don’t have an intimate knowledge of the CSP’s CSO, so they need detailed information on how the controls are implemented in order to develop a Security Assessment Plan (SAP) and prepare for testing the CSO.
Most FedRAMP authorized systems were assessed at the moderate impact level. At the moderate impact level, there are 325 controls many of which have multiple sub-parts. Therefore, it is easy to see how the SSP can quickly become a very large document.
There are also a number of appendices to the SSP which include the following documents:
- Information Security Policies and Procedures
- User Guide
- Electronic Authentication (E-Authentication) Plan
- Privacy Impact Assessment (PIA)
- Rules of Behavior (RoB)
- Information System Contingency Plan
- Configuration Management Plan
- Incident Response Plan
- Control Implementation Summary
- FIPS 199 Categorization Template
- Separation of Duties Matrix (not required)
- Any applicable laws and regulations that may apply to the system (e.g. HIPAA)
Something to keep in mind regarding the Information Security Policies and Procedures is that there are 17 control families, and there needs to be security policies and procedures that support each of the control families.
One element that is often overlooked regarding the documentation is actual procedures for each control family, so be sure to develop policies and procedures for each of the 17 control families. Without them, you can expect an exception during the assessment. Any existing corporate policies and procedures that may be relevant to the CSO are also evaluated and supplied with the authorization package.
3. How Mature (Ready) Does the Cloud Service Offering (CSO) Have to Be?
Bottom-line up front: the CSO must be operationally ready. What does operationally ready mean? It means that all of the FedRAMP baseline security controls have been implemented on the system, and the system is ready to process, transmit, and store federal information.
Another reason the system must be operational ready is that the SSP cannot be completed without the system being in the operational ready state. In order for the SSP to be completed, it must detail how each control is actually implemented on the system. Therefore, the system needs to be in a state where each control is implemented for each component on the system.
4. Which ATO path is Recommended?
There are two primary paths to obtain a FedRAMP ATO, or authority to operate. The first path is to obtain an Provisional-ATO from the JAB. The other is the FedRAMP Agency ATO path.
The JAB path allows a CSP’s CSO to be used by any federal agency that requires the services of the CSO. There is also a very competitive selection process called FedRAMP Connect. Every six months, approximately six CSPs are selected to go through the JAB P-ATO process.
With an agency ATO, the ATO is specific to that agency only. That said, once a CSO is FedRAMP authorized, any subsequent federal agency that would like to use the CSP’s service can issue their own ATO based on the assessment results of the original FedRAMP assessment. Per the FedRAMP website, federal agencies reuse authorizations an average of six times. Additional information and recommendations regarding which ATO path to take can be found in my previous article on FedRAMP authorizations.
5. How Long Does the ATO Process Take?
The answer is simply — it depends. There are many factors that go into the timeline to obtain a FedRAMP authorization. Ask yourself the following questions:
- How mature (ready) is the CSO?
- How complete is the documentation?
- Are there any architecture changes that are needed to satisfy the FedRAMP controls?
- Are there resources (financial and personnel) available to support the assessment process?
- If pursuing a FedRAMP Agency ATO, has a federal agency agreed to sponsor the CSP through the process?
Even if a CSO is mature, the documentation is complete, all architecture changes have been made to support the controls, financial and personnel resources are available, and a federal agency has agreed to sponsor the CSP through the process, the CSP should plan on at least a 2-3 month process.
The FedRAMP process is rigorous and complex and involves a number of players, so it is important to ensure there is enough time for the assessment, development of the post-assessment documentation (e.g. security assessment report and appendices), federal agency review and issuance of ATO letter, and review by the FedRAMP PMO.
FedRAMP is becoming much more well known, and the pace of FedRAMP authorizations continues to increase. While FedRAMP is rigorous, it is very achievable, even by small to medium size businesses.
The first assessment is the biggest hurdle. Once an ATO is obtained, then CSPs maintain their authorization through a continuous monitoring and yearly assessment tailored to a subset of the overall FedRAMP security control baseline.
If you would like to learn more about FedRAMP, check out our other blog posts here:
- The FedRAMP SSP: Important Tips for a Successful Outcome
- An Introduction to the Federal Risk and Authorization Management Program
- An Expert Guide to a FedRAMP Readiness Assessment
- FedRAMP Compliance: What is it? Requirements, Process, & More
Ray Dunham started his career as an Air Force Officer in 1996 in the field of Communications and Computer Systems. Following his time in the Air Force, Ray worked in the defense industry in areas of system architecture, system engineering, and primarily information security. Ray leads L&C’s FedRAMP practice but also supports SOC examinations. Ray enjoys working with clients to secure their environments and provide guidance on information security principles and practices.