The Beginner’s Guide to FedRAMP Compliance & Authorization

Established in 2011, the Federal Risk and Authorization Management Program (FedRAMP) is designed to “provide a cost-effective, risk-based approach for the adoption and use of cloud services by the federal government.”

It achieves this by standardizing cloud services security requirements according to the Federal Information Security Management Act (FISMA) and the Office of Management and Budget (OMB) Circular A-130 — both of which require federal agencies to follow the standards and guidelines established by the National Institute of Standards and Technology (NIST).

Ultimately, FedRAMP aims to “grow the use of secure cloud technologies by government agencies,” “enhance the framework by which government secures and authorizes cloud technologies” and “build and foster strong partnerships with FedRAMP stakeholders.” FedRAMP stakeholders consist of federal agencies, cloud service providers (CSPs) and third-party assessment organizations (3PAOs).

FedRAMP consists of two primary entities — the Joint Authorization Board (JAB) and the FedRAMP Program Management Office (PMO) — each of which oversee a different component of the program.

The JAB is the primary governance and decision-making body for FedRAMP and includes members of the Department of Defense (DoD), the Department of Homeland Security (DHS) and the General Services Administration (GSA). According to the JAB charter, these organizations are tasked with working together to “provide the technical knowledge and skills to provide a government-wide baseline approach to address the security needs associated with placing Federal data in cloud computing solutions.”

Additional JAB responsibilities include:

• Defining and updating FedRAMP security authorization requirements
• Approving accreditation criteria for 3PAOs
• Reviewing authorization packages for cloud services based on the priority queue
• Granting provisional authorizations for cloud services
• Ensuring that provisional authorizations are reviewed and updated
• Notifying Executive offices and agencies of any changes to provisional authorizations
• Establishing and publishing priority queue requirements for authorization package reviews

The PMO, which is part of the GSA, “supports agencies and cloud service providers through the FedRAMP authorization process and maintains a secure repository of FedRAMP authorizations to enable reuse of security packages.”

At an enforcement level, 3PAOs are responsible for assessing the security of various cloud serious offerings by performing initial and periodic assessments of CSPs based on FedRAMP compliance requirements and compiling Readiness Assessment Reports (RARs). Based on the findings of these reports, federal agencies are then expected to enforce FedRAMP compliance requirements through their contracts with CSPs.

Any CSPs who have a cloud service offering (CSO) that is being used by the federal government or any CSPs that would like to work with the federal government are advised to obtain FedRAMP authorization.

Although FedRAMP authorization — sometimes mistakenly referred to as FedRAMP certification — is not mandatory for CSPs, it is mandatory for all executive agency cloud deployments and service models. Bearing that in mind, CSPs have the opportunity to expand into the government market and grow their clientele by undergoing the FedRAMP authorization process for each of their CSOs. The PMO offers resources, including training, guidance and advisory support, to help CSPs navigate this process.

FedRAMP compliance is mandatory for all federal agencies; in order to achieve compliance, agencies are only permitted to use FedRAMP authorized CSOs and work with FedRAMP authorized CSPs.

Benefits of FedRAMP Compliance

For CSPs…

• Broaden your field of prospective customers
• Increase confidence in the security of your services
• Gain ATO from multiple federal agencies in one go
• Access additional opportunities, such as DoD contracts
• Reduce risk of data breaches across your organization

For Agencies…

• Meet federal compliance requirements
• Gain greater insight into cloud security controls
• Mitigate risk of data breaches, downtime and other security threats
• Reduce paperwork associated with compliance documentation, security
• Establish a common security framework and reuse FedRAMP-certified CSPs and CSOs for greater efficiency

There are two paths to FedRAMP compliance: Agency Authorization and JAB Authorization.

With Agency Authorization, CSPs work directly with agencies to gain the Authority to Operate (ATO). With JAB Authorization, CSPs work independently to pursue a Provisional Authority to Operate (P-ATO), which automatically clears a CSO for agency use. The JAB only prioritizes approximately 12 CSOs each year and authorizes even fewer, making this a more competitive FedRAMP compliance path than Agency Authorization.

The FedRAMP compliance process differs depending on whether a CSPs wishes to pursue an ATO or a P-ATO.

For CSPs that wish to pursue an ATO, the Agency Authorization process is as follows:

1. Readiness Assessment: A CSP can obtain a FedRAMP Ready designation by working with a 3PAO to conduct a Readiness Assessment of one of its CSOs. The 3PAO will generate an RAR based on its findings, which speak to the CSP’s ability to meet federal security requirements. Although this step of the authorization process is optional, it helps flag potential gaps within a CSP’s cybersecurity posture and gives it the opportunity to remediate.

2. Pre-Authorization: A CSP establishes a formal partnership with a federal agency according to the requirements established in the FedRAMP Marketplace Designations for Cloud Service Providers. The CSP makes any final adjustments to its technical systems and procedures to ensure alignment with federal security requirements and prepares deliverables for authorization. Finally, the CSP and agency hold a joint meeting — called a Kickoff Meeting — during which they review:

• The purpose and functionality of the CSO
• The technical security of the CSO
• The customer responsible controls
• Compliance gaps and remediation plans
• A work breakdown structure

3. Authorization: The Agency Authorization process begins in earnest with a Full Security Assessment — an independent audit performed by a 3PAO. During this audit, the 3PAO will review the CSP’s System Security Plan (SSP) and develop a Security Assessment Plan (SAP) with the authorizing agency’s input and approval. The 3PAO will then detail its findings in a Security Assessment Report (SAR), and the CSP will develop a Plan of Action and Milestones (POA&M) based on those findings.

Once this is complete, the agency will conduct a security authorization package review, during which it reviews all materials and implements, tests and documents customer responsible controls. Based on the agency’s findings, CSP remediation may be necessary. If the agency is satisfied with the results of its review, it will conduct a final risk analysis, accept risk and issue an ATO to the CSP approving the use of the CSO in question.

With an ATO in hand, the CSP must upload an Authorization Package Checklist and the complete security package (SSP, POA&M and Agency ATO letter), and the 3PAO must upload all security assessment material (SAP, SAP). The PMO then conducts a final review of all materials before approving the CSP for inclusion in the FedRAMP Marketplace.

4. Continuous Monitoring: This consists of all post-authorization activities intended to help maintain a CSP’s security authorization; this includes producing periodic security deliverables to all agency customers and undergoing an annual assessment.

For CSPs that wish to pursue a P-ATO, the JAB Authorization process is as follows:

1. Preparation: CSPs apply for P-ATO prioritization (translation: eligibility) by completing a FedRAMP Business Case and sending it to the JAB. The JAB then evaluates the CSP and its business case according to its Prioritization Criteria in a process known as FedRAMP Connect.

If the JAB chooses to prioritize a CSP, that CSP then moves to the Readiness Assessment phase, during which it must achieve FedRAMP Ready JAB designation for its CSO. In order to earn this designation, the CSP must work with an accredited 3PAO to complete a Readiness Assessment and obtain an RAR.

Once the CSP is both prioritized and deemed FedRAMP ready, it will finalize its SSP, obtain an SAP and an SAR from an accredited 3PAO and develop a POA&M. Only once this full security package is complete and presented to the JAB can a CSP move on to the next stage of the process.

2. Authorization: The JAB, the CSP and a 3PAO participate in a Kickoff Meeting, during which they review the CSO’s system architecture, security capabilities and risk posture, after which the JAB will issue either a “go” or “no-go” decision.

If the JAB issues a “go” decision, it will then conduct an in-depth review of the CSP’s security authorization package. The CSP and 3PAO will answer questions as needed, and the CSP will undergo a full month of continuous monitoring.

Once this is complete, the CSP and 3PAO have the opportunity to remediate any outstanding issues. The JAB will issue a formal authorization decision based on the results of this remediation and, if satisfied that federal security requirements have been sufficiently met, will issue a P-ATO. This P-ATO clears the CSO for entry into the FedRAMP Marketplace.

3. Continuous Monitoring: This consists of all post-authorization activities intended to maintain security authorization. The CSP is required to provide the JAB with monthly continuous monitoring deliverables and undergo an annual assessment to demonstrate continued FedRAMP compliance.

Countless CSPs have obtained one or more FedRAMP authorizations, including:

• Accenture
• Adobe
• Amazon Web Services (AWS)
• Cisco
• Deloitte
• Google
• Hootsuite
• IBM
• McAfee
• Microsoft
• Oracle
• Red Hat
• Salesforce
• Slack
• And many more

For a complete listing of FedRAMP authorized CSPs and CSOs, please visit the FedRAMP Marketplace.

All of Intradyn’s archiving solutions are deployed on AWS, which holds not one, but two separate P-ATOs for AWS GovCloud and the AWS US East and West regions. With tested and proven cloud security protocols and procedures in place, our agency clients enjoy the peace of mind of knowing that their sensitive government data is always safe.

Contact us today to learn more about our government archiving software.