An Introduction to FedRAMP
In late 2011, the Office of Management and Budget under the Obama Administration released a memorandum that introduced the Federal Risk and Authorization Management Program (FedRAMP), noting that “[in the two years prior], the Administration worked in close collaboration with the National Institute of Standards and Technology (NIST), the General Services Administration (GSA), the Department of Defense (DOD), the Department of Homeland Security (DHS), the United States Chief Information Officers Council (CIO Council) and working bodies such as the Information Security and Identity Management Committee (ISIMC), state and local governments, the private sector, non-governmental organizations (NGOs), and academia” to develop a program that aimed to develop trusted relationships between Executive departments/agencies and cloud service providers (CSPs).
FedRAMP’s Mission and Goals
FedRAMP’s overarching mission is to provide a standardized approach to security and risk assessment for cloud technologies and federal agencies, which reduces any duplicative efforts, inconsistencies, and cost inefficiencies; and creates transparent standards and processes for security authorizations. The public-private partnership between Executive branch departments/agencies and CSPs that it establishes also aims to promote innovation and the advancement of more secure information technologies.
Over time, FedRAMP has three goals it seeks to accomplish:
- Growing the use of secure cloud technologies in use by government agencies.
- Enhancing the framework by which the government secures and authorizes cloud technologies.
- Building and fostering strong partnerships with FedRAMP stakeholders.
How Cloud Service Providers Can Earn FedRAMP Authorization
Today, the U.S. government requires all cloud services to be FedRAMP-authorized before they can be used by federal departments and agencies. Cloud service providers have two types of FedRAMP authorization to choose from: an agency authority to operate (ATO) and a provisional authority to operate (P-ATO), which comes by way of FedRAMP’s Joint Authorization Board (JAB). The JAB is the primary governance and decision-making body for FedRAMP, consisting of the Chief Information Officers from the Department of Defense (DoD), the Department of Homeland Security (DHS), and the General Services Administration (GSA). Both authorization paths include a preparation phase, an authorization phase, and continuous monitoring once authorization is granted.
Step 1: FedRAMP Connect
Unlike most other steps in the FedRAMP authorization process, FedRAMP Connect is only applicable to cloud service providers seeking a P-AOT through the JAB. FedRAMP Connect is the process by which Cloud Service Providers (CSPs) are evaluated based on the JAB Prioritization Criteria and prioritized to work with the JAB, being that the JAB only prioritizes roughly 12 cloud service offerings (CSOs) per year.
Step 2: Readiness Assessment
While only required for the JAB authorization process, the readiness assessment is strongly encouraged in the agency authorization process as well, as this allows cloud service providers to achieve FedRAMP ‘Ready’ status. The Readiness Assessment Report (RAR), which is completed in conjunction with a Third-Party Assessment Organization (3PAO), documents the CSP’s capability to provide the JAB with a snapshot of a CSO’s security posture.
Step 3: Pre-Authorization
The Pre-Authorization step is only applicable to those in the agency authorization process as opposed to the JAB authorization process, where a CSP formalizes its partnership with an agency via the requirements outlined in FedRAMP Marketplace: Designations for Cloud Service Providers. The CSP first makes any necessary technical and procedural adjustments to address federal security requirements and prepares the security deliverables required for authorization. They then conduct a kickoff meeting with the agency, where they discuss:
- The background and functionality of the cloud service
- The technical security of the cloud service, including the system architecture, the authorization boundary, data flows, and core security capabilities
- Customer-responsible controls that must be implemented and tested by the Agency
- Compliance gaps and remediation plans
- A work breakdown structure, milestones, and next steps
Step 4: Full Security Assessment
At this point in the authorization process, the CSP has a Third-Party Assessment Organization perform an independent audit of the system and develop a Security Assessment Plan (SAP), after which the CSP develops a Plan of Action and Milestones (POA&M) that outlines a plan for addressing the findings from testing.
Step 5: Agency or JAB Authorization Process
This is the final step before FedRAMP authorization is granted to the CSP regardless of whether the authorization is coming from an agency or the JAB. For all intents and purposes, this can be considered a final review, where an analysis of the CSO’s system architecture, security capabilities, and risk posture takes place. After the CSP makes any final remediations that are deemed necessary, the cloud service offering can then be added to the FedRAMP Marketplace and be designated as ‘Authorized.’
Step 6: Post Authorization
Even after their offering is designated as authorized, the CSP is required to provide periodic security deliverables (vulnerability scans, updated POA&M, annual security assessments, incident reports, significant change requests, etc.) to all agency customers and, if applicable, the JAB. For organizations granted a provisional authority to operate (P-ATO), the JAB acts as a focal point for continuous monitoring activities of systems by:
- Reviewing continuous monitoring and security artifacts on a regular basis;
- Monitoring, suspending, and revoking a system’s P-ATO as appropriate;
- Authorizing or denying significant change and deviation requests; and
- Ensuring continuous monitoring deliverables are provided to leveraging agencies in a timely manner.