The Ultimate Guide to
Federal Risk and Authorization Management Program (FedRAMP)
What is FedRAMP?
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for all cloud products and services. It was created by the Joint Authorization Board (JAB) with representatives from the Department of Homeland Security (DHS), the General Services Administration (GSA), and the Department of Defense (DoD).
Protect mission-critical data
The US federal government is one of the largest buyers of cloud technology and knows that innovative Cloud Service Providers can save agencies time and resources while meeting their critical mission needs. In fact, a 2020 FedRAMP survey found that 45% of federal agencies and 52% of state and local governments are currently storing mission-critical data in the cloud, and nearly every respondent said that they use the cloud to store at least some of their systems or solutions.
In order to protect data stored in the cloud, the General Services Administration (GSA) created the Federal Risk and Authorization Management Program (FedRAMP) to provide a standardized security framework for all cloud products and services that is recognized by all executive federal agencies. Cloud Service Providers (CSPs) only need to go through the FedRAMP Authorization process once for each Cloud Service Offering (CSO) and perform continuous monitoring. Meanwhile, all agencies can review the same continuous monitoring deliverables, creating efficiencies across the government.
What is the purpose of FedRAMP?
The purpose of FedRAMP is to:
Ensure that cloud applications and services used by government agencies have sufficient security safeguards to protect federal information.
Enable the procurement of information systems/services in an efficient and cost-effective manner.
Eliminate duplicative efforts and risk management costs across government entities.
Does my business need to be FedRAMP authorized?
If your company provides cloud computing services or SaaS applications and plans on having the U.S. government as a customer, then you will need to become FedRAMP authorized. In fact, every single government contract includes standardized language for FedRAMP requirements. Don’t let the size of your company deter you, either. Over 30% of FedRAMP Cloud Service Providers are small businesses.
The 4 phases to the authorization process: How to get FedRAMP certified
1. Prepare and plan
There are six steps in the preparation/planning phase, and the process can take weeks or multiple months depending on the maturity of your current security compliance program.
The first step is to find a federal agency that is interested in using your product and willing to go through the authorization process with you.
There are two paths to authorization, you can get a Provisional Authority to Operate (P-ATO) from the Joint Authority Board (JAB), or obtain an ATO letter from a federal agency.
As a Cloud Service Provider you can be one of three levels: low, moderate, or high. Each level determines your security control requirements. More on this below.
Once you know your correct security impact level, you will need to fulfill the requirements from the FedRAMP security controls baseline.
After you’ve implemented the appropriate set of controls, you’ll need to document the details in a System Security Plan.
Lastly, FedRAMP requires you to submit a set of supporting documents along with your SSP. The templates for these documents can be downloaded at www.fedramp.gov.
2. Assess
Once you finish phase one, you’ll need to hire an independent assessor to test and verify your controls’ implementation and effectiveness. Once the testing is completed, you’ll be issued a Security Assessment Report (SAR) that contains any vulnerabilities, threats, and risks discovered during the testing process. Once you’ve reviewed the report, your assessor will share it with the security team at the agency you’re working with or with the JAB. In the meantime, you can start developing your Plan of Action & Milestones (POA&M) which addresses how you will resolve the vulnerabilities in your report and submit this to the same agency or the JAB.
3. Authorize
After the assessment and documents have been delivered, you’ll need to submit the entire security package to your authorizing official (AO) at the agency or the JAB. The AO or the JAB will review the materials and either approve them or request further testing. A final review is then conducted that decides whether you will have an Authority to Operate (ATO), and a signed ATO letter will be given to you by your Authorizing Official.
4. Monitor
Even after you receive the ATO, your work isn’t finished. To maintain the authorization, you’ll need to have continuous monitoring implemented and maintain an appropriate risk level associated with your security impact level. The agency or JAB can revoke the authorization if you fail these steps. You can learn more about the authorization using the Agency Authorization page or the FedRAMP Agency Authorization playbook.
Should I get a joint authorization board P-ATO or a FedRAMP agency P-ATO?
If your product will be used by multiple federal agencies, you should consider the JAB P-ATO. When the JAB grants the authorization, they will share this recommendation to all Federal agencies. However, getting the JAB P-ATO is no easy feat. Since the JAB has limited resources, it is only able to evaluate a select number of cloud service providers annually. This method also requires an accredited third party assessment organization (3PAO) to complete the readiness assessment — something you’ll need prior to beginning a FedRAMP assessment.
Once you are prioritized to work with the JAB and deemed FedRAMP ready, you’ll complete a System Security Plan and use your 3PAO for the full assessment, which will then submit a full package of documents to JAB. Finally, you’ll move to the authorization and monitor phase. This process can take months to complete.
On the other hand, if you want to gain authorization to only work with a single federal agency or if your product has niche demand, you can work directly with an agency to obtain a FedRAMP Agency Authority to Operate (ATO). Going this direction is quicker and somewhat less intensive than the JAB route, since you don’t have to provide proof of demand from multiple agencies or go through reviews with the JAB.
How does FedRAMP fit into your overall compliance program?
While FedRAMP is used specifically for work with the U.S. government, the controls needed to safeguard a cloud service offering are similar to those used by other infosecurity standards and certifications. In fact, the JAB used the NIST SP 800-53 catalog of controls as a baseline, although many other framework requirements will overlap. This means that if you already adhere to another information security framework (e.g., ISO 27001, NIST CSF, SOC 2 Type 2), you may already have done a lot of the work needed for FedRAMP.
If you’ve already implemented an information security framework in the Hyperproof platform and want to meet FedRAMP security controls baseline, the Hyperproof platform will recommend which existing controls you can leverage to fulfill them, making it significantly easier and faster to complete the standard. Conversely, the controls you implement for FedRAMP can be reused to meet the requirements of other information security standards and frameworks.
Note that FedRAMP does not supersede local or regional laws, government regulations, or other legal requirements. Need help getting started? Get the FedRAMP compliance starter guide.
What security controls does FedRAMP require?
When creating the baseline for FedRAMP, the JAB used the NIST SP 800-53 catalog of controls with certain modifications for the unique risks for cloud computing environments. It’s likely that many controls existing already in your organization will satisfy controls in the FedRAMP templates. Some controls might require you to implement new tools, while others will need changes to be made in existing systems. For a full list of requirements and controls, you can download the Security Controls Baseline. It’s important to remember that the baseline is the minimum you’ll need to do, and the agency you work with might require additional requirements above the baseline.
What security impact level and security level do I need?
FedRAMP categorizes Cloud Service Providers into three security impact levels, and each has different security control requirements.
Low Impact
In most cases, companies will be at this level if their applications do not store personal identifiable identification beyond what’s generally required for login capability, such as username, password, and email. The loss of this information such as confidentiality, integrity and availability would have limited adverse effects on an agency’s operations, assets or individuals.
Moderate Impact
This level accounts for nearly 80% of CSP applications that receive FedRAMP authorization and are most appropriate for CSOs where the loss of information would have serious adverse effects on the agency’s operations, assets, or individuals.
High Impact
High impact data is in systems where the loss of confidentiality, integrity, or availability would be severe or catastrophic. You can find this data in law enforcement and emergency services systems, financial systems, or health systems.
FedRAMP: Frequently Asked Questions
Hyperproof for FedRAMP Compliance
Hyperproof’s compliance operations software solution helps organizations understand FedRAMP requirements, document controls for their business, streamline and automate the evidence management process, generate SSP reports, and monitor their security controls to ensure ongoing effectiveness. Plus, it comes with templates for FedRAMP High, Moderate and Low Impact levels requirements to help you hit the ground running. Learn more about simplifying your journey to FedRAMP compliance with Hyperproof.
Hyperproof also partners with professional service firms with proven track records and deep expertise in helping organizations get FedRAMP assessment-ready. Our partners help customers design their information security compliance programs, build them out, and conduct readiness assessments to ensure there are no surprises when the audit occurs. If you need a referral, we’d love to talk.
Drafting Compliance: Follow us on our FedRAMP journey
Hyperproof will be FedRAMP Moderate by 2025. Subscribe to our YouTube series, Drafting Compliance, where we rate beers and talk about how we’re becoming FedRAMP compliant.