The Federal Risk and Authorization Management Program (FedRAMP) is a program run by the U.S. federal government to help cloud service providers bid on government contracts. Simply put, FedRAMP helps such providers achieve minimum standards of cybersecurity, so they can sell their cloud service offerings to federal government agencies more efficiently.
All cloud service providers (CSPs) must achieve FedRAMP authorization to be able to contract with federal agencies. The authorization serves as a seal of approval, so individual agencies don’t need to re-perform an entirely new security assessment for each CSP that might come along.
Read on to learn more about FedRAMP compliance requirements, benefits, and security controls.
What Is FedRAMP Compliance?
FedRAMP’s standards are based upon cybersecurity frameworks established by the National Institute of Standards and Technology (NIST). These standards are governed jointly by numerous government agencies, including the U.S. Department of Homeland Security (DHS), the General Services Administration (GSA), and the Department of Defense (DoD).
Any cloud provider looking to sell its cloud service offering (CSO) to federal agencies must achieve FedRAMP compliance by adhering to the security requirements outlined in NIST Special Publication 800-53. Many public CSPs are FedRAMP compliant and authorized. AWS is one. Click here to read more about AWS and FedRAMP.
The FedRAMP Program Management Office (PMO) and the Joint Authorization Board (JAB) assure that the program’s baseline security controls are incorporated into the security assessment, authorizations, and monitoring of CSPs.
These processes matter to federal agencies. FedRAMP standardizes and streamlines the processes so agencies can efficiently assess a CSP’s security controls and confirm that its cloud offerings are secure enough to protect sensitive government data.
What Does FedRAMP Certification Mean?
A CSP that achieves FedRAMP compliance certification (also known as FedRAMP authorization) is permitted to sell its cloud offerings to federal agencies. In addition, a FedRAMP-certified CSO is fully compliant with the security controls and requirements laid out in the FedRAMP program.
FedRAMP Certification Process: Two Pathways
Before a CSP can achieve FedRAMP authorization, a third-party assessment organization (3PAO) performs compliance assessments on its CSO. The 3PAO verifies the CSP’s security implementations and confirms the cloud environment’s overall risk posture.
The 3PAO also creates a Security Assessment Report (SAR) to help federal agencies use the CSP’s FedRAMP security assessment package. The agency will review the package and issue the CSP an Authority to Operate (ATO). The ATO only applies to that agency.
Repeatable Security Assessment Framework
FedRAMP offers a “do once, use many times” security assessment framework (SAF). This repeatable and standardized approach allows agencies to reuse existing security packages for FedRAMP-authorized CSOs.
These CSOs are listed as “FedRAMP Authorized” on the FedRAMP marketplace, which means they meet FedRAMP’s security requirements.
ATO and P-ATO
The ATO is one pathway for CSPs to achieve FedRAMP authorization. They can also get FedRAMP-certified through a provisional authorization to operate (P-ATO) from the FedRAMP JAB.
To get an ATO, CSPs work directly with agencies that will perform a risk review of the CSP’s security authorization package and make an authorization decision (that is, to grant the ATO). Under the P-ATO option, the JAB does the risk review of the authorization package, which is then independently tested, verified, and validated by a 3PAO.
The JAB grants the P-ATO to the CSP and also informs agencies that the CSO’s risk posture is acceptable for agency use at certain data impact levels. Agencies can then choose to grant their own ATO to that CSP.
Difference between FedRAMP and other compliance standards
FedRAMP specifies its own standards and is therefore distinct from other compliance frameworks.
FedRAMP vs. FISMA
The Federal Information Security Management Act (FISMA) is a law that focuses on general IT security controls; FedRAMP is a compliance program that specifies baseline controls and impact levels for cloud computing environments. In other words, FedRAMP helps a cloud service provider to comply with FISMA’s requirements.
FISMA and FedRAMP also have different assessment methods. Under FedRAMP, CSPs must pass a 3PAO’s security assessment before achieving an agency ATO or JAB P-ATO. In contrast, a business can meet FISMA’s accreditation requirements after an agency’s security assessment. In other words, FedRAMP’s security requirements are more stringent than FISMA’s.
FedRAMP only applies to federal agencies and the CSPs selling their CSOs to these agencies. FISMA applies to a wider range of federal agencies, state government agencies, SaaS vendors, and CSPs.
FedRAMP vs. SOC2
FedRAMP is mandatory for all CSPs to prove that their CSOs can securely handle government data. In contrast, SOC2 is a company’s self-assessment of the security profile of its solution or data center.
While SOC2 allows any company to understand a CSP’s security profile, it does not mandate any standards or controls to which a CSP must adhere.
Who Must Comply with FedRAMP?
FedRAMP is a U.S. government program to standardize the application of FISMA to the cloud products and services used by government agencies. All CSOs that process or transmit sensitive government data must comply with FedRAMP and achieve FedRAMP authorization either via an agency ATO or a JAB-provided P-ATO.
Whether a CSP receives an ATO or a P-ATO, the authorization demonstrates that the CSP has implemented all FedRAMP-mandated cloud security measures to protect sensitive government data.
Benefits of FedRAMP Certification
A FedRAMP-authorized CSP can demonstrate that its cloud environments have the necessary security controls to securely handle government data. Moreover, the CSP is then added to the FedRAMP marketplace, which gives access to a large and lucrative pool of potential federal customers.
Moreover, CSPs don’t have to repeat the certification process for each agency. Instead, any agency can access the CSP’s existing security authorization package and decide whether it wants to grant an ATO to the CSP.
Federal agencies also benefit from the program, knowing that the authorized CSP will protect federal information and information systems from cyberattacks and data breaches. Further, the SAF allows agencies to review an authorized cloud solution without needing to conduct their own assessment or authorization.
All in all, FedRAMP helps establish mutually beneficial public-private partnerships to promote the advancement of secure cloud technologies. It also speeds up the adoption of these technologies across the U.S. government.
FedRAMP Authorization Process and Compliance Requirements
A CSP must satisfy all the requirements mandated by FedRAMP to achieve an ATO or P-ATO. Broadly, these requirements are:
- Complete the FIPS PUB 199 worksheet to categorize the types of data contained within the CSO and determine its FedRAMP impact level.
- Select the FedRAMP security controls baseline matching the FIPS PUB199 categorization level.
- Implement the security controls in accordance with FIPS PUB199 categorization.
- Document implemented security controls in a System Security Plan (SSP) based on a JAB-approved template.
- Work with an independent 3PAO to test the CSO and demonstrate that its controls are effective and implemented as documented in the SSP.
- Submit supporting documents as required by the 3PAO, such as an e-authentication worksheet, a privacy threshold analysis, information security policies, an incident response plan, and so forth.
- Develop a Plan of Action and Milestones (POAM) to address the vulnerabilities noted in the 3PAO’s Security Assessment Report (SAR).
- Submit a final authorization package for authorization review to the agency (for ATO) or the JAB (for P-ATO).
- Obtain ATO or P-ATO.
- Implement a Continuous Monitoring (ConMon) program to meet FedRAMP requirements and maintain an appropriate risk level.
Once a CSP achieves FedRAMP authorization and is added to the FedRAMP marketplace, it can change its CSO according to the procedures in the Configuration Management Plan. However, the CSP must report any changes that could affect its ability to meet FedRAMP requirements.
FedRAMP Security Controls
Cloud systems that process or transmit government data must adhere to multiple baseline controls in FedRAMP. Many are based on the baseline controls defined in NIST SP 800-53. These controls encompass multiple security domains, including:
- Access control
- Configuration management
- Audit and accountability
- Identification and authentication
- System security planning
- Contingency planning
- Risk assessment
- Incident response
- Awareness and training
- System and information integrity
FedRAMP defines three “impact levels” with specific control requirements for each. The more sensitive the data a CSO handles, the higher the impact level, and the more security controls the CSP must include in the cloud offering.
|Impact Level||Number of controls|
|Low-Impact Software-as-a-Service (LI-SaaS)||36|
FedRAMP controls baselines are the bare minimum that every CSP must implement to work with federal agencies. Each agency may ask for additional security controls above the baseline, which the CSP must also implement to achieve agency ATO.
Manage Compliance With ZenComply
Are you aiming for FedRAMP compliance? Or preparing for a FedRAMP audit? Regardless of your primary goal, ZenComply can help!
ZenComply is a compliance and audit management solution that delivers a faster, easier and smarter path to compliance by eliminating tedious manual processes, accelerating onboarding and keeping you up-to-date on the progress and effectiveness of your programs.
Tap into the power of automation to eliminate cumbersome manual processes and spreadsheets. Take advantage of pre-built content for 30+ standards and regulations to drive greater efficiencies for less effort.
Schedule a demo to learn more about how ZenComply can help you move from “check-the-box” compliance to compliance-driven risk management.