As businesses and organizations make the leap toward using cloud-based technology for all sorts of services, so too are many government agencies. Cloud computing is the way of the future – but it also introduces new security risks to organizations using the cloud as a technology strategy.
Many government agencies own especially sensitive data, which could have potentially devastating implications in the wrong hands. For this reason and more, any cloud service provider (CSP) that works with the U.S. federal government must become FedRAMP-certified.
The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The goal of FedRAMP is to make sure federal data is consistently protected at a high level in a variety of cloud solutions, so that government agencies can find and use those trustworthy CSPs more easily.
Receiving FedRAMP certification can be a long and tedious process, but it doesn’t have to be. Preparing for FedRAMP before you submit for authorization can help make the certification process less cumbersome.
In this article we’ll help you prepare for FedRAMP certification so that when you’re ready to enroll, you can do so without a hitch.
What Is FedRAMP Certification?
The Federal Risk and Authorization Management Program (FedRAMP) is a comprehensive framework that defines the security requirements that cloud service providers must meet to be eligible to provide cloud products and services to government agencies.
All cloud service providers (CSPs) that deal in federal data are required to receive FedRAMP certification. Basically, if you want to work with the federal government, FedRAMP will need to be an important part of your overall cloud security plan.
FedRAMP provides a single set of standards and security controls for all governing agencies, all CSPs, and even third-party assessment organizations (3PAOs). In doing so, FedRAMP assures consistency in the security of the government’s cloud services, as well as consistency in the methods for evaluating and monitoring that security.
FedRAMP certification can even help CSPs that only work with private-sector customers, too; it demonstrates your ongoing commitment to meeting high security standards. FedRAMP certification baseline and a listing on the FedRAMP Marketplace can significantly boost your security credibility for all of your clients.
Understanding FedRAMP is critical, especially for organizations that want to get certified. So let’s start with the FedRAMP fundamentals.
Understanding the Basics of FedRAMP
FedRAMP was established more than 10 years ago as cloud migration became more and more common. The framework was born from the U.S. government’s “Cloud First” strategy, which requires government agencies to consider cloud-based solutions as a first choice for technology needs.
FedRAMP was officially launched in 2011 by the Office of Management and Budget (OMB). The FedRAMP Program Management Office (PMO) was established in 2012 to promote the adoption of secure cloud services across the federal government by providing a standardized approach to security risk assessment.
FedRAMP uptake was slow at first, with only 20 cloud service offerings authorized in the first four years of its existence. The pace of adoption has accelerated since 2018 and there are now more than 250 FedRAMP-authorized cloud products listed on the FedRAMP Marketplace, including some of the most popular CSPs such as Amazon Web Services.
What Is the FedRAMP Certification Process?
Before FedRAMP, individual federal agencies managed their own assessment methodologies following guidance set by the Federal Information Security Management Act (FISMA) of 2002. At the time, CSPs had to prepare an authorization package for each agency they wanted to work with, which led to inconsistent requirements and duplicate efforts for providers, assessors, and agencies alike.
FedRAMP’s security baselines are derived from NIST SP 800-53 (the cybersecurity standard developed by the National Institute of Standards & Technology), with an extra set of control enhancements specific to the requirements of cloud computing. More simply, FedRAMP is FISMA for the cloud.
The introduction of FedRAMP streamlined this process and introduced consistency to make it easier for both agencies and CSPs. While FedRAMP makes authorization easier to attain, it’s still a rigorous process and the level of security is mandated by law. FedRAMP is considered one of the most rigorous certifications in the world, and encompasses 14 applicable laws and regulations along with 19 standards and guidance documents.
Today there are two ways to gain FedRAMP authorization as a CSP:
- A Joint Authorization Board (JAB) provisional authority to operate (P-ATO): this process involves the JAB issuing a provisional authorization, which tells government agencies that the risk has been reviewed by the member agencies that serve on the JAB agencies.
- An Agency Authorization: this process requires the CSP to establish a relationship with a specific sponsoring agency and assessor that will be involved throughout the process. If the process is successful, the agency will issue an “authorization to operate” (ATO) letter to submit for FedRAMP authorization.
The JAB is the primary governance and decision-making body for FedRAMP. It is composed of the chief information officers from the Department of Homeland Security (DHS), the General Services Administration (GSA), and the Department of Defense (DoD). The JAB issues a provisional authorization to operate, known as a P-ATO.
No matter which authorization you pursue, FedRAMP authorization generally involves the three following steps. (We’ve simplified them for the sake of brevity.)
Step 1: Preparation
For JAB P-ATO, the preparation phase consists of three steps: FedRAMP Connect, Readiness Assessment, and the Full Security Assessment.
For agency authorization, the preparation phase consists of two steps: Readiness Assessment and Pre-Authorization.
Step 2: Authorization
For JAB P-ATO, the authorization phase consists of the authorization Kickoff, security deliverable review, and P-ATO issuance from the JAB.
For agency authorization, the authorization phase consists of two steps: Full Security Assessment and Agency Authorization Process. During this step, the CSP completes a System Security Plan (SSP), and the 3PAO develops a Security Assessment Plan (SAP). After completion, the 3PAO submits a Security Assessment Report (SAR) and the CSP creates a Plan of Action & Milestones (PoAM).
Once all submissions have been received, the JAB or 3PAO decides whether the risk as described is acceptable. If the answer is yes, then they submit an ATO letter to the FedRAMP project management office. After the FedRAMP clearance process is done, the CSP is then listed on the FedRAMP Marketplace.
Step 3: Continuous Monitoring
For both a JAB P-ATO and agency authorization, the continuous monitoring phase consists of post-authorization activities to maintain your authorization. Those activities must meet FedRAMP requirements.
For more detailed information about each stage of the FedRAMP authorization process for both JAB P-ATO and 3PAO ATO, visit FedRAMP’s webpage.
FedRAMP Impact Levels
The number of security controls and practices that a CSP must implement depends on the “impact level” for whatever contract the CSP is bidding on. The more sensitive the data is – and therefore, the more severe the consequences would be if a breach were to happen – the higher the impact level, and the stronger the CSP’s security needs to be.
The four FedRAMP impact levels are:
- High. This impact level defines the loss of confidentiality, integrity, or accessibility (CIA) as causing a “severe or catastrophic adverse effect” on operations, assets, or individuals. It usually applies to law enforcement, emergency services, financial and health systems.
- Moderate. This impact level defines the loss of CIA as having “a serious adverse effect” on operations, assets, or individuals. It is the most common impact level for CSPs; nearly 80 percent of approved FedRAMP applications are at the Moderate level.
- Low. This impact level defines the loss of CIA as having “a limited adverse effect” on operations, assets, or individuals.
- Low-impact Software-as-a-Service (Li-SaaS). This impact level is also known as FedRAMP Tailored and is designed for cloud systems that are low risk for users. It includes collaboration tools, project management applications, and tools that help develop open-source code.
Implementing a FedRAMP system and obtaining a Moderate or High impact ATO takes most organizations 12 and 18 months to complete. Organizations should ideally use this time to draft requirements, design and architect the system, implement and document technical controls and processes, train staff, and perform a 3PAO assessment of the system.
The FedRAMP framework is comprehensive, so take the necessary steps to prepare for a project of this size. Before you begin, you’ll need to ensure that implementation of your FedRAMP program is going to meet your own cost and budget requirements, as well as the U.S. government customer requirements.
Next, we’ll provide some steps your organization should take to assure successful implementation of FedRAMP.
How to Prepare for FedRAMP
Preparing for FedRAMP is perhaps the most important step in the whole authorization process. Ultimately, if you aren’t well-prepared for FedRAMP before you begin, you may find yourself needing to repeat the process after a failed first attempt – a mistake that will inevitably be more costly than getting it right the first time.
Here are some things you can do to prepare for FedRAMP authorization:
Put a Support Network in Place
FedRAMP P-ATOs and ATOs are expensive. They require a significant amount of resources up-front to support the numerous system and process changes and staff modifications that are required to meet the security standards.
Any endeavor that requires resources will need support from senior management, the board of directors, and the C-suite – that is, all of the decision-makers of your organization. These are the people who can help assure that any large-scale changes to your organization (like the ones required by FedRAMP) can be implemented in a timely and efficient manner.
You’ll also need to establish a project team. This team should consist of representatives from various departments that will either drive FedRAMP compliance or be affected by it. Your team should include at least the following stakeholders:
- System or software engineers
- System security engineers
- Corporate IT staff
- Customer service specialists
- Human resources
- A 3PAO
To manage all of these people and the moving parts associated with implementing a FedRAMP approved system, assign a project manager who is experienced and able to hold the responsible parties accountable for enacting FedRAMP initiatives. A project manager will help to assure that the project meets all of the scheduling, budget, and FedRAMP P-ATO or ATO requirements. The absence of a project manager can result in delays to the process.
Participate in FedRAMP Training
The FedRAMP PMO recommends that when a CSP is bidding for FedRAMP compliance, all stakeholders at that CSP should participate in free FedRAMP training to assure that everyone is aligned with the government’s expectations and how your organization’s units will fit into the overall compliance program.
FedRAMP training courses are geared for several groups:
- CSPs. This FedRAMP training course helps CSPs understand the requirements of the security package and gives a detailed overview of the required templates and their supporting documentation.
- 3PAOs. This FedRAMP training course is required for all 3PAOs seeking FedRAMP recognition. It focuses on specific functions, processes, procedures, policies, and guidance needed to complete their assessment of a CSP.
- Federal agencies. This course provides agency stakeholders with the best practices and tips for successfully implementing the FedRAMP authorization process.
The FedRAMP training webpage hosts a number of deep-dive courses and webinars on various elements of the authorization process and what’s required of specific stakeholder groups, as well as relevant and timely videos about FedRAMP requirements and program updates.
Establish Business Context
Ultimately, FedRAMP’s requirements extend beyond the IT realm and will affect the management and operations teams at your organization. Although various departments may have a clear understanding of the processes within each specific business unit, those departments may still be unclear about how those processes fit into larger business workflows.
For this reason, it’s critical to include all of the appropriate representatives from each business unit during key processes, and to make sure that they understand both the processes that are specific to their department as well as how those processes relate to each other and the organization as a whole.
In general, the ability to understand the detailed steps of each business process from end to end will allow your organization to facilitate integration between cross functional teams; identify any dependencies between existing processes and opportunities for improvement; quantify and understand any gaps between existing processes and FedRAMP requirements; and better align your organizational culture and governance process with FedRAMP system authorization requirements.
Engage with a Sponsoring Agency
Due to the stringent requirements and limited engagement with the JAB for P-ATOs, most organizations opt to first obtain an ATO. To do so, your organization will first need to establish a relationship with a sponsoring agency.
Unlike other frameworks, FedRAMP includes requirements that are deemed “organization-defined,” meaning that the specific government agency you work with will define the requirements that your organization must meet and will inform you of these requirements.
To increase an agency’s willingness to work with you, you should first work to establish a relationship with the agency’s stakeholders to demonstrate your commitment to the security of their data.
Whether you’re working with the JAB or a 3PAO, the principle is the same: establishing a relationship with the agency that will determine the organization-defined requirements for FedRAMP authorization will only make the process easier for you, especially since the 3PAO or JAB must provide the final approval and sign off to grant your system an ATO or P-ATO, respectively.
Get Help
The cost and complexity associated with the FedRAMP authorization process makes it nearly impossible for organizations to do on their own. A blind attempt without any guidance is likely to lead to costly changes and delays in achieving authorization, and may even result in your organization needing to start all over again from the beginning.
If you haven’t already, you should first consider partnering with a 3PAO – specifically, an organization that is certified to perform FedRAMP assessments and has met the requirements set forth by A2LA, ISO/IEC 17020, and the FedRAMP PMO. (A 3PAO is also required to demonstrate mastery of FedRAMP by successfully completing the government’s Cyber Range Assessment.)
Although required by law, the FedRAMP framework is somewhat vague and risk-based; there isn’t always a clear path to follow to demonstrate whether your organization is meeting a particular control requirement.
A 3PAO can help you determine whether a control is met based on the associated risk and control contact; assure the appropriate architectural, process, and staffing changes are identified and implemented; minimize the cost and project duration; and certify that the requirements are met and that the system is appropriately secure.
Additionally, a governance, compliance and risk management (GRC) software solution can help automate many of the processes and workflows involved in the FedRAMP authorization process.
Manage Compliance with Reciprocity ZenComply
FedRAMP compliance generally requires a considerable investment in time and resources, particularly for organizations using outdated systems and tools to achieve and maintain compliance. Even then, initial compliance certification is only half the battle.
To stay compliant, your organization must also demonstrate continuous monitoring. At the same time, as a program, FedRAMP is still evolving, which means that your organization will need to assure that the new systems, processes and controls don’t degrade over time and meet any new compliance requirements that might emerge in the future.
Reciprocity ZenComply is a compliance and audit management solution that delivers a faster, easier, and smarter path to compliance by eliminating tedious manual processes, accelerating onboarding and keeping you up-to-date on the progress and effectiveness of your programs. With Reciprocity ZenComply, your organization can get audit-ready in less than 30 minutes – no coding or cumbersome imports required!
With expert-built, preloaded content at your fingertips to make scoping, sending requests, and gathering evidence easier than ever, Reciprocity ZenComply can help you reach your goals faster and keep your teams connected. Streamlined collaboration capabilities and automated workflows minimize manual task tracking and eliminate audit fatigue.
Reciprocity ZenComply doesn’t stop at maintaining compliance. It also helps you understand how your compliance activities affect your risk posture, so you can effectively prioritize your investments. Now you can easily handle your compliance needs and take managing your IT risks to the next level.
With seamless integrations with Reciprocity ZenRisk and the Reciprocity ROAR Platform, ZenComply gives you a unified, real-time view of risk and compliance, and the contextual insight needed to make smart, strategic business decisions that keep your organization secure and earn the trust of your customers, partners and employees.
Take your compliance to the next level with Reciprocity ZenRisk. Talk to an expert today to learn more about how the Reciprocity Product Suite can help your organization improve its risk and compliance posture.
