Choosing which third-party vendors to trust with your data isn’t always easy, but it can be especially difficult for federal agencies. As the cloud becomes increasingly critical for business and government processes, organizations have struggled to hold cloud service providers (CSPs) to a higher standard.
For businesses, insecure cloud services have the potential to be problematic, but for government agencies, insecure solutions could be devastating. Government agencies rely on a number of high-risk vendors to operate – from first-party organizations that provide direct federal services, to third-party vendors responsible for securely handling, storing, or analyzing government data.
To assure that federal data is consistently protected at a high level in the cloud, the U.S. government developed the Federal Risk and Authorization Management Program, or FedRAMP, for cloud compliance.
In this guide, we’ll take a closer look at FedRAMP, including the steps necessary to get FedRAMP authorization. Then, we’ll explain why it’s important to find FedRAMP-certified vendors and how you can do so. Finally, we’ll suggest a solution to help you stay on top of your own FedRAMP certification, as well as the FedRAMP authorization of your third-party vendors.
What is FedRAMP?
The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. federal government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
FedRAMP was developed to help replace outdated legacy software solutions with cloud technologies, and was born from the government’s “Cloud First” strategy, which required agencies to look at cloud-based solutions as a first choice.
In 2011 the Office of Management and Budget (OMB) released a memorandum that established FedRAMP. In 2012 the General Services Administration (GSA) established the FedRAMP Program Management Office (PMO). The mission of the FedRAMP PMO is to promote the adoption of secure cloud services across the federal government, by providing a standardized approach to security and risk assessment.
Today FedRAMP prescribes the security requirements and processes that CSPs must follow for a government agency to use their service. Any CSP that holds federal data must be FedRAMP-certified.
Getting FedRAMP authorization isn’t always easy, and it’s widely known as one of the most rigorous software-as-a-service (SaaS) certifications in the world.
What is FedRAMP Certification?
Before the introduction of FedRAMP, individual federal agencies managed their own assessment methodologies according to guidance set forth by the Federal Information Security Management Act (FISMA) of 2002.
To receive authorization, CSPs had to prepare an authorization package for each agency the CSP wanted to work with. This led to inconsistent requirements and duplicate efforts for both providers and agencies.
FedRAMP introduced consistency and streamlined the process. At first, FedRAMP uptake was slow; only 20 cloud service offerings were authorized in the first four years. The pace has improved since then, and today there are more than 250 FedRAMP-authorized cloud products.
FedRAMP Governing Bodies
To develop, manage, and operate the program, FedRAMP is governed by a number of different executive branch entities that work in a collaborative manner.
As mentioned above, the Office of Management and Budget (OMB) is the governing body that first issued the FedRAMP policy memo defining key requirements and capabilities of the program.
The Joint Authorization Board (JAB) is the primary governance and decision-making body for FedRAMP. It comprises a variety of roles and responsibilities among various governing bodies, including the Department of Homeland Security (DHS), the General Services Administration (GSA), and the Department of Defense (DoD).
The National Institute of Standards and Technology (NIST) advises FedRAMP on FISMA compliance requirements and assists in developing the standards for the accreditation of independent third-party assessment organizations (3PAOs).
DHS manages the FedRAMP continuous monitoring strategy, the Federal Chief Information Officers (CIO) Council disseminates FedRAMP information to Federal CIOs and other representatives, and the FedRAMP PMO is responsible for the development of the FedRAMP program including the management of day-to-day operations.
Additionally, there are several laws, mandates and policies that are foundational to FedRAMP.
The first is FISMA, which requires that agencies authorize the information systems that they use. Essentially, FedRAMP is FISMA for the cloud. Next is the FedRAMP Policy Memo, which requires agencies to use FedRAMP when assessing, authorizing, and continuously monitoring cloud services. This aids agencies in the authorization process, and also saves government resources and eliminates duplicate efforts.
At its core, FedRAMP’s security baselines are derived from NIST SP 800-53 (as revised) with a set of control enhancements that pertain to the unique security requirements that come along with cloud computing.
How to Get FedRAMP-Certified
There are two ways to authorize a cloud service through FedRAMP.
The first is by way of the Joint Authorization Board’s (JAB) provisional authority to operate (PATO). In this process, the JAB issues a provisional authorization that lets agencies know the risk has been reviewed. This is an important first step to get approval, but any agency that wants to use the service must issue its own Authority to Operate (ATO). Ultimately, this course of action is best suited for CSPs with high or moderate risk.
The second method is by way of an individual agency’s ATO. In this process, the CSP establishes a relationship with a specific federal agency that is involved throughout the process. If the process is successful, the agency issues an ATO letter to FedRAMP.
Four Steps to FedRAMP Certification
No matter which type of authorization you pursue, FedRAMP authorization involves four main steps:
- FedRAMP package development starts with an authorization kick-off meeting. Then the CSP completes a System Security Plan (SSP). Next, a FedRAMP-approved 3PAO develops a Security Assessment Plan (SAP).
- The assessment organization submits a Security Assessment Report (SAR) and the provider creates a Plan of Action & Milestones (POAM).
- The JAB or authorizing agency decides whether the risk as described is acceptable. If the answer is yes, then the agency submits an ATO letter to the FedRAMP project management office. The CSP is then listed in the FedRAMP Marketplace.
- The provider sends monthly security monitoring deliverables to each agency using the service.
There are also four impact levels of FedRAMP for services with different types of risk. Each impact level is based on the potential of a security breach in three different areas: confidentiality, integrity, and availability (CIA).
The first three impact levels are based on the Federal Information Processing Standard (FIPS) 199 from NIST. The fourth is based on NIST SP 800-37.
The four impact levels of FedRAMP are as follows:
- High, based on 412 controls. To meet this impact level, the loss of CIA could be “expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.” This impact level usually applies to law enforcement, emergency services, financial, and health systems.
- Moderate, based on 325 controls. To meet this impact level, the loss of CIA could be “expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.” This is the most common impact level, and nearly 80 percent of approved FedRAMP applications are at the Moderate impact level.
- Low, based on 125 controls. To meet this impact level, the loss of CIA could be “expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.”
- Low-impact Software-as-a-Service (Li-SaaS), based on 36 controls. This impact level is for systems that are low risk for uses like collaboration tools, project management applications, and tools that help develop open-source code. Also known as FedRAMP Tailored, to qualify, the provider must answer “yes” to a number of specific questions.
NIST SP 800-145 establishes FedRAMP’s definitions for cloud services that are Platform-as-a-Service (PaaS), Infrastructure-as-a-Service (IaaS), or SaaS, and any CSPs needing to define their offerings as one or multiple of these service models should refer to these guidelines.
Why is FedRAMP Certification Important?
Any and all cloud services holding federal data require FedRAMP authorization. Basically, if you want to work with the federal government, FedRAMP authorization needs to be an important part of your security plan.
FedRAMP certification is important because it assures consistency in the security of the government’s cloud services, and because it assures consistency in evaluating and monitoring that security. At a fundamental level, FedRAMP provides a single set of standards for all governing agencies and all cloud providers.
FedRAMP authorization can also make non-governmental clients more confident about the security protocols their CSP has in place. FedRAMP certification represents an ongoing commitment to meeting the highest security standards, and it can significantly boost your security credibility, even beyond the FedRAMP Marketplace.
Why Should You Seek FedRAMP-Certified Vendors?
Many of the reasons listed in the above section also apply when answering this question. If you work for a government agency, finding FedRAMP-certified vendors is not only important; it’s mandatory.
It’s also useful for organizations that aren’t affiliated with government agencies. As previously mentioned, seeking out FedRAMP-certified vendors can show your clients (governmental or otherwise) that your organization is seriously committed to security.
Likewise, choosing FedRAMP-certified vendors means that you gain transparency into their security requirements and processes. If a vendor is FedRAMP-certified, you can easily reference which control requirements it met (and at what impact level) to determine whether the vendor can meet your standards.
Ultimately, FedRAMP certification can be used as part of your overall vendor risk management (VRM) program to help standardize onboarding evaluations, identification and mitigation of risks, and monitoring activities. In turn, this can help your organization build a better vendor risk assessment (VRA) process to help vet your third-party vendors and enable them to continue to prove due diligence on those service providers.
Fortunately, FedRAMP makes it easy to find FedRAMP-certified vendors.
How Do You Find FedRAMP-Certified Vendors?
To find FedRAMP-certified vendors, simply visit the FedRAMP Marketplace.
The FedRAMP Marketplace provides a searchable, sortable database of Cloud Service Offerings (CSOs) that have achieved a FedRAMP designation. It also lists 3PAOs (accredited auditors that can perform the FedRAMP assessment). The FedRAMP Marketplace is maintained by the FedRAMP PMO, and designates three classifications for vendors.
The three CSP classifications are:
- FedRAMP Ready: for vendors that have already been evaluated by a 3PAO and completed a Readiness Assessment Report (RAR), but are not officially approved by the program.
- FedRAMP in Process: for vendors that are currently undergoing the approval process. This can take from six months to two years to complete, and can cost up to $500,000.00.
- FedRAMP Authorized: for vendors that have completed the authorization process.
Typically, a listing in the FedRAMP Marketplace makes a CSP much more likely to get additional business from government agencies. It can also improve your profile in the private sector.
Which Cloud Providers are FedRAMP Certified?
As of today, more than 250 FedRAMP-certified vendors are listed on the FedRAMP Marketplace. Remember, however, that it’s the service – not the service provider – that gets authorized. This means a CSP may have to pursue multiple authorizations if it offers more than one cloud-based solution.
Here are a few examples from CSPs you probably know and may already use:
Amazon Web Services
Amazon Web Services (AWS) has two listings in the FedRAMP Marketplace: AWS GovCloud, which is authorized at the High level, and AWS US East/West, authorized at the Moderate level. Together, these two listings have more than 500 FedRAMP authorizations combined – a number far greater than any other listing in the FedRAMP Marketplace.
Adobe Analytics was authorized in 2019 at the Li-SaaS level and is currently used by the Centers for Disease Control and Prevention (CDC) and the Department of Health and Human Services (DHHS). Other Adobe products authorized at the Li-SaaS level include Adobe Campaign and Adobe Document Cloud. Adobe products authorized at the Moderate level include Adobe Connect Managed Services and Adobe Experience Manager Managed Services.
Slack was authorized in 2020 at the Moderate level, although it initially received FedRAMP Tailored authorization at the Li-SaaS level. In pursuit of Moderate authorization, Slack partnered with the Department of Veteran Affairs. Interestingly, Slack explicitly calls attention to the additional security benefits of this authorization for private sector clients on its website:
“This latest authorization translates to a more secure experience for Slack customers, including private-sector businesses that don’t require a FedRAMP authorized environment. All customers using Slack’s commercial offerings can benefit from the heightened security measure required to achieve FedRAMP certification.”
Altogether, Slack has 21 FedRAMP authorizations and is used by agencies including the CDC, the Federal Communications Commission (FCC), and the National Science Foundation (NSF).
Obstacles to FedRAMP Certification
As the above mentioned FedRAMP-certified CSPs can probably attest, there are a number of obstacles to overcome when attempting to obtain FedRAMP authorization.
Firstly, achieving FedRAMP compliance requires a considerable investment in time and resources. This can be particularly true for organizations using legacy tools and spreadsheets to achieve and maintain compliance.
But with FedRAMP, initial compliance certification is only half the battle. As a program, FedRAMP is still evolving, which means that the standards may be subject to change in the future. Even after certification is achieved, your organization must maintain compliance management to assure that the new systems, processes and controls don’t degrade over time.
Fortunately, there are solutions designed to help. At Reciprocity, our compliance experts can help you prepare your FedRAMP compliance and certification program, expedite the process and minimize the burden on your team.
Manage Compliance with Reciprocity ZenComply
Reciprocity ZenComply is a compliance and audit management solution that delivers a faster, easier, and smarter path to compliance by eliminating tedious manual processes, accelerating onboarding and keeping you up-to-date on the progress and effectiveness of your programs. With Reciprocity ZenComply, your organization can get audit ready in less than 30 minutes – no coding or cumbersome imports required.
With expert-built preloaded content at your fingertips to make scoping, sending requests, and gathering evidence easier than ever, Reciprocity ZenComply can help you reach your goals faster and keep your teams connected. Streamlined collaboration capabilities and automated workflows minimize manual task tracking and eliminate audit fatigue.
Reciprocity ZenComply doesn’t stop at maintaining compliance. It also helps you understand how your compliance activities are affecting your risk posture so you can prioritize your investments. Now you can easily handle your compliance needs and take managing your IT risks to the next level.
With seamless integrations with Reciprocity ZenRisk and the Reciprocity ROAR Platform, ZenComply gives you a unified, real-time view of risk and compliance, and the contextual insight needed to make smart, strategic business decisions that keep your organization secure and earn the trust of your customers, partners and employees.
Take your compliance to the next level with Reciprocity ZenRisk. Talk to an expert today to learn more about how the Reciprocity Product Suite can help your organization improve its risk and compliance posture.