If you’re new to the world of compliance in the US Federal Government, there can be some tricky terms to navigate. Here’s a quick primer on the similarities and differences between NIST and FedRAMP.

NIST Background

The National Institute of Standards and Technology (NIST) produces, among other things, a series of documents known as Special Publications (SP). The NIST SP 800 series deal with computer security, and NIST 800-53 revision 4, Security and Privacy Controls for Federal Information Systems and Organizations details information security/privacy controls which must be in place for information systems in the US Federal government. There are other 800-series documents which cover elements of information security including risk management (SP 800-37 revision 1 and SP 800-30, revision 1), and business continuity/contingency planning (SP 800-34 revision 1).

Why is NIST Important? FISMA

The Federal Information Security Management Act of 2002 (FISMA) and Federal Information Security Modernization Act of 2014 (also FISMA, which enhances and clarifies the original law) require US Government agencies to implement information security controls using a federal risk based approach to information security assessment. Each agency must report their compliance annually to the Office of Management and Budget (OMB), and the primary framework in use for FISMA compliance is detailed in NIST SP 800-53. Therefore, you must be compliant with NIST standards and guidelines in order to meet annual FISMA compliance requirements. Information systems managed by non-governmental bodies (such as contracting firms or public companies) on behalf of US Government agencies may also be required to report their compliance against FISMA.

Where Does FedRAMP Fit In?

The aim of FedRAMP is to allow US Government agencies to reap the benefits of cloud services while minimizing duplicative information security work. Cloud Service Providers (CSPs) are cloud providers offering cloud products, such as IaaS, PaaS, and SaaS for sale to the Government. These systems must meet the requirements of FISMA, and FedRAMP provides a way to streamline the independent security assessment process for maximum efficiency so organizations can engage in a cloud first strategy. In 2016, FedRAMP announced a new accelerated process that changed how the FedRAMP Joint Authorization Board (JAB) Provisional Authorizations (P-ATO) are conducted with a goal of speeding the provisional authority to operate. The goal was to create a sleeker authorization management program allowing more predictable timeline for security authorization package assessments. 

FedRAMP relies on several of the NIST SP documents including 800-53 as a library of system controls and 800-37 for risk management. The streamlining occurs with an intelligent focus on which controls are managed by the CSP and which are managed by the agency purchasing the cloud services. As an example, a SaaS provider will offer the same shared physical security protections to all users of its system, due to the use of a single data center or hosting facility and this should lead to a low risk for users of that provider. Conversely, each acquiring agency is responsible for implementing appropriate password controls which are sufficiently secure.

A CSP wishing to sell services to the US Government must identify which controls are relevant to the services being sold, and then engage a qualified Third Party Assessment Organization (3PAO – not to be confused with the robot from Star Wars!) to conduct an assessment that will show impact level. Once this assessment has been conducted on behalf of one US Government agency, other agencies may rely on the report of that assessment without having to conduct their own, saving time and money.

The Bottom Line

NIST provides standards and guidelines around risk management, information security, and privacy controls for information systems used by the US Federal Government. FedRAMP uses the NIST guidelines in its own framework to enable US Government agencies to use cloud services securely and efficiently.

While FedRAMP is not required for private organizations that aren’t related to federal agencies or departments, it is strongly recommended for all companies using cloud computing for consistency and efficiency.

Having a tool like ZenGRC makes managing both NIST and FedRAMP compliance pain free. ZenGRC has FedRAMP and NIST SP 800-53 controls pre-loaded in the tool, can help you leverage existing work from other regulations to get FedRAMP compliant, and can help you prepare evidence for your 3PAO via our audit module.

How to Upgrade Your Cyber Risk
Management Program with NIST