The Federal Risk and Authorization Management Program (FedRAMP) is meant to assure the security of cloud services used by the U.S. government. It standardizes the security assessments, authorizations, and continuous monitoring of cloud service offerings (CSOs) used by federal government agencies.
With the help of FedRAMP’s guidelines and standards, federal agencies can assess whether a CSO can handle and protect sensitive government data and then decide whether the CSO’s cloud service provider (CSP) is trustworthy.
All CSPs and CSOs that achieve FedRAMP certification are added to the FedRAMP marketplace, the official online repository of all FedRAMP-authorized CSPs and CSOs. Federal agencies looking to find a CSO authorized for government use can find them on this marketplace.
The marketplace is also a goldmine of information about FedRAMP-certified CSPs, FedRAMP templates, and the authorization process. This guide unpacks the key features of the FedRAMP marketplace and shows how federal agencies can use it to choose the CSO they need for their mission-critical requirements.
What Is FedRAMP?
The National Institute of Standards and Technology (NIST), the General Services Administration (GSA), the Department of Defense (DOD) and many other agencies collaborated to develop the FedRAMP and its policies, controls, and procedures.
All federal agencies that use (or want to use) CSOs must use the FedRAMP’s assessment and authorization process. In addition, all CSPs that want to sell their offerings to federal agencies must achieve FedRAMP authorization. In short, FedRAMP is mandatory for both parties.
FedRAMP provides a “do once, use many times” security assessment framework (SAF). Federal agencies can use the SAF to standardize the application of the Federal Information Security Management Act (FISMA) to CSOs.
What Is the FedRAMP Marketplace?
The FedRAMP marketplace is similar to an e-commerce website where a potential buyer can search for the products the buyer needs. It is the U.S. government’s online repository of all FedRAMP-authorized CSOs and their security packages.
Instead of conducting duplicative security assessments and creating multiple process monitoring reports, agencies can reuse security packages for their own assessments of CSOs and CSPs to accelerate their adoption of secure cloud solutions.
The marketplace is a convenient, one-stop-shop of cloud products and services that any federal agency can use to find the CSOs it needs. These CSOs have already gone through and completed the FedRAMP authorization process. Agencies looking to buy secure CSOs can do so from the FedRAMP marketplace, knowing that every product listed there already meets the government’s stringent requirements to protect sensitive government data in cloud environments.
FedRAMP marketplace home page
The FedRAMP marketplace home page provides lots of useful information to guide agencies looking for FedRAMP-authorized CSOs, including:
- CSP name
- CSP service model: IaaS, SaaS, PaaS
- FedRAMP impact level: Low, Medium, High, or LI-SaaS
- Status: FedRAMP authorized, FedRAMP ready, FedRAMP in process
Similar to e-commerce sites like Amazon, a user can filter the results on the FedRAMP marketplace using multiple criteria:
- FedRAMP status: Authorized, Ready, In process
- Authorization type: JAB, Agency
- Service models: IaaS, SaaS, PaaS
- Deployment models: Government Community Cloud, Hybrid Cloud, Public Cloud
- Impact level: Low, Medium, High, LI-SaaS
A federal agency user can filter the results based on provider or agency name. With the latter, it’s easy to see which agency has implemented which CSO and from which CSP.
By the end of June 2022, more than 260 FedRAMP-authorized CSPs were listed on the FedRAMP marketplace. Dozens more were in the midst of FedRAMP certification, and another 29 had expressed an interest in becoming a federal provider but not yet gone through the authorization process.
FedRAMP marketplace resources page
The FedRAMP marketplace also provides several useful resources, including documents, templates, training materials, and information about FedRAMP security baselines. Templates are an important aspect of the FedRAMP program and its security assessment framework.
The FedRAMP marketplace provides templates for:
- Plan of Action and Milestones (POAM)
- Readiness Assessment Reports (RAR)
- FedRAMP System Security Plan (SSP) Baseline Templates
- FedRAMP Control Implementation Summary (CIS) Workbooks
The marketplace also provides numerous checklists, toolkits, and playbooks to guide agencies and CSPs along the security assessment and authorization process.
Listing designations on the FedRAMP Marketplace
All CSPs fall under one of three listing designations on the FedRAMP marketplace:
This status indicates that an independent Third Party Assessment Organization (3PAO) has attested to the CSP’s readiness for the authorization process. The FedRAMP Program Management Office (PMO) also approves the Readiness Assessment Report (RAR), indicating the CSP’s ability to satisfy FedRAMP security requirements.
FedRAMP Ready does not mean that the CSP has achieved FedRAMP authorization. It only means the CSP has expressed an interest in becoming a federal provider and has shared information indicating that the vendor can meet baseline FedRAMP criteria.
This designation is given to CSPs working towards FedRAMP authorization either with the Joint Authorization Board (JAB) or a federal agency.
This designation means that the CSP has completed the FedRAMP authorization process, and its security package is available for agency review and reuse.
What Is the FedRAMP Certification Process to Get Listed On the FedRAMP Marketplace?
CSPs must complete the FedRAMP authorization and certification process to be listed on the FedRAMP marketplace. To achieve the authorization, the CSP can pursue one of two paths:
- A provisional authorization to operate (P-ATO) through the FedRAMP Joint Authorization Board (JAB).
- An authorization to operate (ATO) through a federal agency.
What Is FedRAMP ATO?
In the ATO path, agencies work directly with the CSP throughout the FedRAMP authorization process. The ATO is a formal declaration by an agency authorizing the use of a CSO.
When applying for the ATO, the CSP will provide a security authorization package to the agency, which will perform a risk review of the package in accordance with FedRAMP requirements.
Agencies can use a FedRAMP-accredited 3PAO or a non-accredited Independent Assessor (IA) to perform the CSO’s independent assessment before granting the ATO. FedRAMP recommends that agencies use a 3PAO from the FedRAMP 3PAO accreditation program.
The FedRAMP marketplace lists all FedRAMP-accredited 3PAOs, and for each one includes:
- Number of assessments completed
- Types of CSOs assessed
- Names of CSPs assessed
- Federal agencies collaborated with during the authorization process
After authorizing a package, the agency informs the FedRAMP PMO via email. The CSP then submits the package for PMO review. After confirming that the package meets FedRAMP requirements, the PMO will publish it on the FedRAMP marketplace. Other agencies can reuse the same package when they want to grant their own ATO to the CSP.
What is FedRAMP P-ATO?
A CSP can also get a P-ATO by providing its security authorization package to the JAB. The JAB does a risk review of all the documents in the CSP’s authorization package. After this review, an accredited 3PAO (mandatory to get P-ATO) will independently test, verify, and validate the package before the JAB grants the P-ATO.
After granting the P-ATO, the JAB will inform agencies whether a CSO has a recommended acceptable risk posture for agency use at the designated impact level. Agencies can then decide if they want to grant ATOs to that CSP and CSO.
The JAB also performs continuous monitoring to assure that the CSO maintains an acceptable risk posture per FedRAMP and government requirements. The “provisional” in P-ATO only indicates that the JAB has completed the risk review, not that it accepts the risk on behalf of a federal agency.
How do agencies use FedRAMP?
The standards and baselines established under FedRAMP allow federal agencies to standardize the authorization and certification process for CSOs and confirm that a CSO has implemented the FedRAMP baseline security controls.
All agencies must enforce the FedRAMP requirements through their contracts with CSPs. When granting security authorization to a CSP, agencies use existing authorizations as a starting point.
After granting the authorization, they submit that security authorization package to the FedRAMP PMO. They also prepare and file an ATO letter with the PMO.
All security packages that have completed PMO review are available on the FedRAMP marketplace for other agencies to reuse. To use a CSO that is not already FedRAMP authorized, agencies must sponsor the CSP under the full authorization process.
The CSP will work with the agency over the full security assessment and authorization process. When this process is complete and the PMO approves the authorization package, the agency can deploy the CSO for their use.
Simplify and Manage FedRAMP Compliance with Reciprocity ZenComply
Whether you are preparing for a FedRAMP audit or aiming to maintain FedRAMP compliance, manual processes and spreadsheets are not the best way to achieve your goals. What you need is automation coupled with pre-built content and continual compliance monitoring. You need ZenComply.
ZenComply is an all-in-one platform for compliance, audits, governance, and risk management. See how ZenComply can help you drive greater compliance efficiencies with minimal effort. Schedule a demo to get started.