The Federal Risk and Authorization Management Program, or FedRAMP, is a federal government program to provide a standardized approach for security assessment, authorization, and continuous monitoring for cloud services and cloud products offered by cloud service providers (CSPs). FedRAMP creates a single risk-based standard so government agencies can engage with cloud-based providers more easily.
FedRAMP offers a unified approach to secure cloud-based solutions
FedRAMP was first introduced in 2011 by the Office of Management and Budget, in a memo sent to the chief information officers of other government agencies. Essentially, FedRAMP pushed those agencies toward increasing their security standards and using secure cloud-based technology, rather than spending money on new on-campus infrastructure which would quickly become obsolete anyway.
As more and more federal agencies adopted a “cloud first” technology strategy, and cloud offerings became more sophisticated and interconnected, the need for better cybersecurity and continuous monitoring became obvious.
Before and after FedRAMP
Before FedRAMP, each federal agency managed its own security assessment by following guidance loosely set by the Federal Information Security Management Act (FISMA).
After FedRAMP, each individual agency could achieve the same high standard for security by picking a cloud solution that was already FedRAMP-compliant. That simplified the selection of technology vendors and subcontractors. By working with a business that has already achieved FedRAMP compliance, the agency is assured that the cloud solution offered is safe.
Requirements of cloud-based providers in the FedRAMP marketplace
To become FedRAMP authorized, a CSP must be reviewed and approved by the Joint Authorization Board (JAB), a board consisting of all the agencies that originally signed on to FedRAMP.
Each year, the JAB selects about a dozen cloud service providers and solutions to work with. If a provider passes a detailed scrutiny and testing program, it receives what’s called a Provisional Authority to Operate (P-ATO).
The heart of FedRAMP is the National Institute of Standards and Technology (NIST) Special Publication 800-53, which provides a catalog of information security controls selected to improve cybersecurity in cloud computing environments.
FedRAMP authorization gives a stamp of approval to the CSP, signaling to government agencies that the cloud solution is safe and has the necessary authorization to keep the agency in FedRAMP compliance.
Three steps to get and maintain FedRAMP compliance
FedRAMP authorization consists of three security baseline levels through which all CSPs must progress, where the final level is a commitment to ongoing monitoring by a third-party assessment organization:
- A preparation phase, which includes a basic security assessment, readiness assessment, and a full cloud security assessment;
- A JAB authorization phase with a full review of the cloud solution’s functionality (this takes 12 to 13 weeks);
- A final commitment to ongoing JAB monitoring of the cloud solution. This is especially important because ongoing monitoring means that authorized cloud products must stay current on cybersecurity threats, or they will lose their FedRAMP authorization.
Fedramp.gov has a detailed outline of the process as experienced by cloud service providers, federal agencies, and third-party assessment organizations (3PAOs).
The three levels have increasingly stringent security requirements and standards that are tied to the types of data that CSPs are managing. Requirements for better security increase as a CSP moves through the levels.
The role and makeup of the Joint Authorization Board (JAB)
The JAB is made up of chief information officers from the Department of Defense (DoD), Department of Homeland Security (DHS), and the General Services Administration (GSA).
The JAB is responsible for establishing FedRAMP accreditation standards and for reviewing proposed new FedRAMP requirements. Those new requirements are developed on an ongoing basis as new risks to information systems come around.
The JAB also reviews authorization packages, including results from the assessments done by third-party assessment organizations (3PAOs). The JAB may grant provisional authorization for CSPs to operate, but the federal agency using the service still has responsibility for granting the cloud service provider the final authority to operate (ATO).
FedRAMP certification is a must for CSPs that want to do business with the U.S. government
Although obtaining FedRAMP certification can be difficult, accreditation is necessary for cloud service providers that want to expand their work with the U.S. government. The FedRAMP program management office runs the website FedRAMP.gov, which is where you should start if you want to seek FedRAMP certification. The site has several templates that can help you develop a plan of action and a system security plan, which are necessary to satisfy FedRAMP compliance standards and bring you one step closer to capturing more contracts in the public sector.
Cybersecurity and compliance management tools
As you forge a path for your business through the pandemic and our highly interdependent world, many tools can help keep your business safe and your data information secure as you migrate into a cloud based environment.
ZenGRC’s compliance, risk, and workflow management software is an intuitive, easy-to-understand platform that not only keeps track of your workflow, but also lets you find areas of high risk before that risk has manifested as a real threat.
Worry-free compliance management is the Zen way. For more information on how ZenGRC can enable your CMS, contact us for a demo.