The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program with the goal of providing a “cost-effective, risk-based, approach for the adoption and use of cloud services to Executive departments and agencies,” according to the Office of Management and Budget’s (OMB) 2011 FedRAMP memorandum. This article covers the basics of FedRAMP.
What is the purpose of FedRAMP?
FedRAMP is a program that serves as a pathway for private sector cloud service providers (CSP) to obtain a seal of approval for their cloud service offerings (CSO) to be operated on government networks for government users. This seal of approval is known as a FedRAMP Authority to Operate (ATO).
Although FedRAMP ATOs are a standard certification across the government, different agencies and departments may require additional security controls and implementations in order to comply with their own internal policies, which may limit the reciprocity of a FedRAMP ATO. In addition, FedRAMP’s overseers are not able to assume risk on behalf of other governmental bodies. An ATO signals to agencies that a CSO is secure and compliant with the National Institute of Standards and Technology’s (NIST) Risk Management Framework (RMF), and the Federal Information Security Management Act (FISMA).
Who is in Charge of FedRAMP?
FedRAMP was established by the General Services Administration (GSA) to provide support for and maintain compliance with FISMA, specifically in the government’s adoption and use of CSOs.
FedRAMP is overseen by two main bodies:
- Joint Authorization Board (JAB) – Members of the JAB include Chief Information Officers (CIO) of the Department of Defense (DoD), the Department of Homeland Security (DHS), and GSA.
- FedRAMP Program Management Office (PMO) – The FedRAMP PMO was established by GSA in 2012. It supports agencies and CSPs through the authorization process, and it maintains a secure repository of authorizations for reuse of security packages, according to GSA.gov.
The FedRAMP PMO and JAB work together to keep FedRAMP up to date and ensure compliance across all government CSPs. FedRAMP operates using the FedRAMP Security Assessment Framework (SAF) in combination with the guidelines of the NIST RMF and FISMA.
How does FedRAMP Work?
The FedRAMP SAF relies on four key activities and processes:
- Document – There are three steps in the documentation phase which include categorizing the system (by type and impact level), selecting security controls, and implementing the controls. CSPs must document this information in a system security plan (SSP) using the FedRAMP SSP template. The SSP describes the boundaries of authorization, how security measures address the required security controls, expected behaviors of those with system access, and the system's architecture, boundaries, and supporting infrastructure.
- Assess – The assessment phase includes the Security Assessment Plan (SAP) and testing. FedRAMP authorizes third party assessment organizations (3PAO) to conduct the testing of CSOs. CSPs are allowed to submit assessments from non-accredited independent assessors (IA) with an attestation from a supporting agency describing the independence and technical qualifications of that IA. The 3PAO or IA is responsible for creating the SAP using the FedRAMP SAP template. The SAP documents the methods and processes employed to test the efficacy of security implementations. It also documents the relevant components of the system such as the hardware, software, and physical facilities involved.
- Authorize – Authorizing Officials (AO) review CSO documentation, like System Assessment Reports (SAR), and grant ATOs to CSPs. FedRAMP offers JAB Provisional ATOs (P-ATO) and agency ATOs. P-ATOs can be requested by CSPs or Agencies from the JAB. They are issued for CSOs that are still in development or prototyping, and are valid for a finite amount of time. Under FISMA, the JAB cannot accept risk on behalf of any agency, but PATOs do shorten the review process for individual agencies. For FedRAMP agency ATOs, agencies are responsible for conducting the risk review and work with the CSPs to present their documentation to the AO or equivalent authority. Similar to FedRAMP SAPs, agencies can use FedRAMP accredited 3PAOs or non-accredited IAs for the risk review. Once an agency has authorized the CSO, documentation is sent to the FedRAMP PMO for review. After the PMO approves the CSO, it is added to FedRAMP’s secure repository.
- Monitor – Because cybersecurity is a persisting problem, continuous monitoring is employed to validate the performance of systems and efficacy security measures. Operational visibility, change control, and incident response support continuous monitoring. “The CSP and its 3PAO must provide evidentiary information to AOs at least monthly, annually, every three years, and on an as-needed basis after an authorization is granted,” according to the FedRAMP Continuous Monitoring Strategy Guide.
These processes are designed to streamline the authorization process, and ensure continued compliance. Achieving an ATO through the FedRAMP process can take anywhere from 3-18 months.
FedRAMP’s mission is a necessary one for the smooth and efficient adoption and use of CSOs from CSPs. It provides a standard approach to security assessment, authorization, and continuous monitoring for cloud products and services. Since inception, FedRAMP has authorized over 260 cloud solutions, but there are hundreds of thousands of CSPs, from small to large companies, that are willing or actively vying for a chance to receive an ATO. The FedRAMP Marketplace lists all FedRAMP approved products, federal participants, and FedRAMP assessors. FedRAMP does not have the bandwidth to process every CSP and CSO, but there are alternatives that may better suit the unique needs of different companies and solution providers.