In the 1990s, the U.S. Federal Government began to recognize the tremendous benefits of adopting cloud solutions for government IT infrastructures for increased security and compliance, including cost efficiency and elasticity. As part of this adoption, the federal government developed a standardized set of security standards to ensure cloud service providers and products could appropriately protect federal data.
To efficiently assess and authorize cloud services, the U.S. Government created the Federal Risk and Authorization Management Program or FedRAMP.
FedRAMP is a government-wide program that provides a single, standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Although the process has been well documented, FedRAMP can still be confusing and difficult to understand if your organization is looking to become FedRAMP certified. In the following sections, I explain at a high level the key items one must know before getting started.
FedRAMP is overseen by a Joint Authorization Board (JAB), which is comprised of the Chief Information Officers from the Department of Homeland Security, the General Services Administration, and the Department of Defense. The FedRAMP Project Management Office (PMO) administers the day-to-day functions of the JAB. In addition to the JAB and FedRAMP PMO, the following stakeholders play an important part in the FedRAMP authorization process:
- Executive branch federal agencies or agencies – The President’s Office of Management and Budget established a policy in 2011 that all cloud services leveraged by one or more executive branch agencies must comply with FedRAMP requirements. Agencies are responsible for (1) ensuring that they are only procuring and/or using FedRAMP compliant systems, and (2) if a FedRAMP authorization does not currently exists, assessing cloud service providers and products for FedRAMP compliance, and if determined compliant, authorizing their use through an official Authority to Operate (ATO) letter.
- Cloud Service Providers or CSPs – CSPs are commercial or government entities that have a cloud offering or service. CSPs are responsible for implementing and documenting FedRAMP security controls, hiring an independent third party assessor to perform initial and annual assessments, submitting the necessary documentation and independent assessments to the federal government to receive and maintain FedRAMP authorization, and complying with continuous monitoring requirements.
- Third Party Assessment Organizations (3PAOs) – 3PAOs are independent entities that perform initial and periodic security assessments of the CSPs’ cloud systems. 3PAOs are hired by the CSP.
Paths to Authorization
There are three potential paths for a CSP’s security package to make its way into the official FedRAMP repository. Once a security package is listed in the FedRAMP repository, all federal agencies then have an opportunity to review the package and determine if they would like to use the system. Packages listed in the repository are either considered (1) authorized and ready for use, or are considered (2) candidates for approval. The following are the three official paths:
- FedRAMP PMO / JAB – a cloud service provider can submit the appropriate documentation to the FedRAMP PMO and to the JAB which would then, if security controls were deemed appropriate, issue a Provisional Authorization to Operate (P-ATO). The authorization is considered provisional because the JAB cannot accept risk on behalf of an agency. As such, an agency would still need to review the package and issue its own ATO letter to indicate that they accept the risk associated with using the system.
- Agency – a cloud service provider can submit their package to an agency and the FedRAMP PMO and be granted an “Authorization to Operate” (ATO) by the sponsoring agency. Other agencies can leverage the originating CSP ATO by reviewing the package in the FedRAMP repository and issuing their own ATO letter based on the originating agency’s work.
- CSP Supplied Path – although this process does not directly result in a P-ATO or an agency ATO, it helps reduce the time for approvals because the documentation review and testing are complete and available for agencies to leverage. With this path, the CSP supplies a security package to the FedRAMP repository and requests the FedRAMP PMO to review the package for sufficiency. Once reviewed and determined sufficient, the package is made available to other federal agencies in the FedRAMP repository. Agencies would still need to review the package and issue the CSP an ATO at which point the designation of the package would be changed.
FedRAMP Security Package
Throughout this blog post, we’ve discussed the submission and/or review of a CSP’s FedRAMP security package. The FedRAMP security package consists of numerous system and security documents that are required by the FedRAMP PMO/JAB before either a P-ATO or ATO can be issued. The most important of these documents are the System Security Plan or SSP and the Security Assessment Report or SAR. The SSP documents the physical and logical boundaries of the cloud solution and contains a detailed description of how the CSP implemented or plans to implement the required FedRAMP security controls. The SAR contains the results of the 3PAO’s testing of the SSP and provides the FedRAMP PMO, JAB, and agencies with an independent validation of the sufficiency of the CSP’s controls. Templates for the SSP and SAR are provided by the FedRAMP PMO and can be found at www.fedramp.gov.
If you are a CSP, then you need to understand that obtaining an ATO for your cloud solution or product is not an easy undertaking and will take a significant commitment in both time and finances. The average length of time to achieve an ATO ranges from 6 to 18 months depending on the path taken, existing system controls, and obviously the sufficiency of your efforts. In addition, it is important to understand that FedRAMP authorization requires an ongoing commitment. Once a CSP obtains the initial ATO, continuous monitoring and reporting must occur with either your agency sponsor or the FedRAMP PMO/JAB, depending on the path chosen.
To reduce effort and costs, it is critical that continuous monitoring efforts be automated wherever possible and integrated with operational and reporting tools and capabilities. For federal agencies, it is equally important to maximize your limited resources by leveraging existing ATOs, focusing your review efforts on the most important controls, and automating your oversight efforts.
FedRAMP is an extremely detailed and complex process and this blog post aims to provide you with the most important components. I’d be interested to hear any experiences with FedRAMP. Please feel free to leave a comment below or contact me directly if you have any question