The Federal Risk and Authorization Management Program (FedRAMP) is an initiative created within the General Services Administration (GSA) to accelerate the adoption of secure cloud computing by more agencies. For U.S. federal agencies considering cloud computing solutions, FedRAMP provides a standard approach.
FedRAMP Program Basics
In 2017, the Office of Management and Budget (OMB) announced a cloud-first strategy. It was understood that cloud services could help federal agencies meet mission-critical needs, but barriers to adoption impeded the transition from older, less-secure legacy systems. FedRAMP helps agencies move to more secure and cost-effective cloud-based IT solutions.
- Delivers a uniform approach to risk-based management
- Increases transparency
- More efficiently uses resources by taking advantage of repeatable criteria and processes
- Provides real-time security visibility
- Reuses existing security assessments across agencies
What is FedRAMP?
FedRAMP is a government-wide program that went into effect in December 2018. It creates and manages processes to assess, authorize, and continuously monitor cloud products and services provided to U.S. federal agencies. In addition, to improve and facilitate access to secure cloud solutions, it established a marketplace of authorized offerings.
- Accelerate the adoption of secure cloud solutions.
- Achieve consistent security authorizations using a baseline set of agreed-upon standards to review and approve cloud products.
- Enhance automation to provide near real-time data for continuous monitoring.
- Ensure consistent application of security best practices for effective, repeatable cloud security.
- Facilitate collaboration across federal agencies through open exchanges of lessons learned, use cases, and tactical solutions.
- Increase familiarity, confidence, and utilization of secure cloud solutions.
- Provide reliable results from security assessments.
The FedRAMP Process
There are three primary players in the FedRAMP process for authorization and compliance:
- 1. Cloud Service Organizations (CSOs) / Cloud Service Providers (CSPs)
- Provide secure cloud
- Responsible for meeting the security requirements
- Contract with 3PAOs for assessment of their services
- 2. Third-Party Assessment Organizations (3PAO)
- Provide an initial assessment of the vendor’s compliance with FedRAMP requirements
- Perform ongoing assessments
- Ensure continued compliance and maintenance of the vendor’s security posture
- 3. Federal Agencies
- Identify cloud solutions
- Ensure that the cloud meets the FedRAMP baseline security controls
- Complete the risk review and issue an Agency Authorization to Operate (ATO) for the service
Cloud Service Providers (CSPs) that want to sell services to a federal agency can choose from three paths to demonstrate FedRAMP compliance:
- 1. Earn a Provisional Authorization to Operate (P-ATO) from the FedRAMP Joint Authorization Board (JAB).
- 2. Receive an Authorization to Operate (ATO) from a federal agency.
- 3. Work independently to develop a CSP Supplied Package that meets program requirements.
Regardless of which path to FedRAMP authorization is selected, an assessment by an independent third-party assessment organization (3PAO) and a technical review by the FedRAMP Program Management Office (PMO) are required.
FedRAMP compliance is based on National Institute of Standards and Technology (NIST) standards along with FedRAMP-specific controls.
The FedRAMP Joint Authorization Board (JAB) is the decision-making body for FedRAMP. The JAB has representatives from the Department of Defense (DoD), Department of Homeland Security (DHS), and General Services Administration (GSA). The JAB determines whether FedRAMP compliance requirements have been met and if a Provisional Authority to Operate (P-ATO) will be granted.
P-ATO is granted to CSPs that have demonstrated FedRAMP compliance. Following this, the partner agency can issue the ATO.
Who Must Comply with FedRAMP?
Any commercial cloud service offering (CSO) or CSP that wishes to be used by a federal agency must demonstrate FedRAMP compliance.
The high-level requirements to achieve FedRAMP compliance are:
- Complete an audit by a FedRAMP 3PAO
- Complete FedRAMP documentation, including the FedRAMP System Security Plan (SSP)
- Create a Plan of Action and Milestones (POA&M)
- Implement security controls set forth by FIPS 199
- Remediate any issues discovered by the 3PAO audit
- Run a Continuous Monitoring (ConMon) program with monthly and annual reporting
- Secure P-ATO from JAB followed by an ATO from a partner agency
There are three levels of FedRAMP compliance and authorization that follow NIST Federal Information Processing Standard (FIPS) guidelines. The levels are based on a number of criteria (e.g., 325 controls for FedRAMP Moderate baseline, 421 controls for FedRAMP High baseline), including how the loss of confidentiality, integrity, or availability would impact an agency.
- 1. Low — for hosting data intended for public use, where unauthorized access would not compromise an agency.
- 2. Moderate — for hosting information that is not available to the public (e.g., personally identifiable information), a breach of which would seriously impact an agency’s operation.
- 3. High — for hosting sensitive government information that could cause catastrophic harm (e.g., shut down operations, bring financial ruin, or threaten human life) if systems containing the information were breached.
Steps to FedRAMP Authorization
Cloud service providers (CSPs) gain FedRAMP authorization in a three-step authorization process:
- 1. Preparation includes a readiness assessment and pre-authorization.
- Readiness assessment, completed with the aid of a Third-Party Assessment Organization (3PAO), documents the CSP’s capability to meet federal security requirements.
- Pre-authorization requires that the CSP has established a partnership with a federal agency for the project and confirms that it has the deliverables in place required for authorization. A kick-off meeting with the partner agency is also required.
- 2. Authorization starts with the 3PAO conducting an independent audit of the CSP’s systems. One of the outputs from the audit is a Security Assessment Report (SAR) that includes findings from the audit and a recommendation regarding FedRAMP authorization.
During the next step, the partner agency reviews the SAR and debriefs the CSP about it. After this, the agency issues an Authority to Operate (ATO), and the CSP is evaluated for inclusion in the marketplace with FedRAMP Authorized status.
- 3. Continuous monitoring is required for all FedRAMP Authorized CSPs. This monthly and annual reporting includes vulnerability scans, security assessments, and incident reports.
FedRAMP Authorization Best Practices
Create an access control policy for all cloud accounts that define processes and procedures for creation, deployment, modification, and decommissioning. All cloud account access should be managed and administered using an identity management tool to assign permissions with zero trust policy to enforce least privilege-access protocols.
Audits and Assessments
Policies should be put in place to ensure that the organization remains in compliance with FedRAMP requirements and is prepared at all times for monthly and yearly audits by 3PAOs.
Develop and implement standards for configuration management controls, roles, responsibilities, scope, and compliance requirements for all systems, including change management policies
Create a contingency plan that includes recovery plans and timing, key roles and responsibilities, critical systems and software, and details about backups.
Identification and Authentication
Employ identification and authentication controls that adhere to FedRAMP standards. These should also include specifics about reuse conditions, standards for changing or refreshing authenticators, and maximum lifetime requirements and refresh time periods for authenticators.
Establish incident response plans and protocols, including identifying key roles. Regularly test incident response plans and periodic reviews of the details.
Policies should be established to define which information can be shared and conditions for sharing.
Specify approved digital and non-digital media types as well as policies for usage, sanitation, and disposal.
Physical and Environmental Security
Define physical access control requirements for facility entry and exit points. Take into account emergency situations, such as power outages, weather events, flooding, and fires. Inventory issuance, tracking, and decommissioning requirements should also be established.
Establish information flow control policies that identify prohibited or restricted ports, protocols, and services. Specify requirements and restrictions for connections between internal and external systems and set rules for accessing sensitive information remotely.
Session Logins and Termination
Create access policies that dictate the number of unsuccessful login attempts, delay time before login can be reattempted, and triggers for session termination.
Document system maintenance controls, roles, responsibilities, management, coordination, and compliance requirements. Establish protocols for timing of upgrades and approval processes for conducting off-site maintenance and repairs.
Everyone in the organization should be trained on security policies and general security awareness, emphasizing any FedRAMP compliance policies.
Cross-Agency Security Expands Opportunities
The FedRAMP authorization provides a standard security risk model that CSPs can leverage for all federal agencies. This gives CSPs a consistent baseline for meeting and adhering to security standards for cloud services—FedRAMP compliance.
While the FedRAMP authorization process and compliance requirements are rigorous, once a cloud service provider obtains FedRAMP agency ATO or JAB P-ATO, it is much faster and easier to offer services to the rest of the federal government.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 23rd December, 2021