The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP was created by the Joint Authorization Board (JAB) with representatives from the Department of Homeland Security (DHS), the General Services Administration (GSA), and the Department of Defense (DoD).
FedRAMP requires that covered companies implement a set of security controls to ensure that all federal data is secure in cloud environments. All cloud service providers (including IaaS, PaaS, SaaS applications) that are used by federal agencies or want to pursue these types of business partnerships in the future must demonstrate FedRAMP compliance.
This guide covers all key aspects of FedRAMP compliance and answers common questions from organizations new to the FedRAMP.
What Is the Purpose of FedRAMP?
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP was created by the Joint Authorization Board (JAB) with representative Chief Information Officers from the Department of Homeland Security (DHS), the General Services Administration (GSA), and the Department of Defense (DoD). Many other government agencies also participated in reviewing and standardizing the controls, policies, and procedures.
The purpose of FedRAMP is to:
- Ensure that cloud applications and services used by government agencies have sufficient safeguards
- Enable efficient and cost-effective procurement of information systems/services
- Eliminate duplication of effort and risk management costs across government agencies
What Types of Businesses Need to Be FedRAMP Compliant?
If your company provides cloud computing services or software-as-a-service (SaaS) applications and you are interested in having a U.S. government agency as a customer, you must be able to demonstrate that your system is FedRAMP compliant. In fact, standardized language for FedRAMP requirements is included in every federal government contract.
To be able to sell your system to a federal government agency, you’ll need to gain proper authorization for your system. Getting through the FedRAMP authorization process will require a significant amount of work from your organization. As such, it is important to understand the FedRAMP authorization process as soon as you decide to pursue federal agencies as customers. However, before you start the FedRAMP compliance journey, you need to have a system that is fully built and functional, and a leadership team that’s committed and fully bought into the FedRAMP process.
The Process for Obtaining a FedRAMP Authority to Operate
At a high level, FedRAMP requires covered companies to implement a set of security controls, parameters, and requirements dictated by the JAB within their cloud computing environment, document how those controls are implemented in a System Security Plan, go through an independent assessment and submit a set of documents to authorizing officials (either at a Federal Agency or the JAB) for review. The authorizing officials decide whether to grant the entity authorization based on those documents and the risks identified during the assessment phase.
FedRAMP also requires covered entities to implement a continuous monitoring program to ensure their cloud system maintains an acceptable risk posture.
You can think about the authorization process in four phases:
The word “document” may be a bit misleading here. It would be more accurate to call it the “Plan, Implement, and Document” phase. There are six steps to take within this phase, and the process may take several weeks or many months depending on your particular situation.
Step 1: Establish a partnership with a federal agency
The first step of the FedRAMP compliance journey is to establish a partnership with a federal agency that is interested in using your product and willing to go through the authorization process with you.
Step 2: Determine your authorization path
The next step is to determine which approach you will take to get your authorization. There are two paths to authorization: You can get a Provisional Authority to Operation (P-ATO) from the Joint Authority Board (JAB) or obtain an Authority to Operate (ATO) letter from a single federal agency.
Which path you take is a decision that needs to be considered carefully as it has a cost and level-of-effort implications.
Joint Authorization Board P-ATO
If your product has broad demand (e.g., is being used or can be used by multiple federal agencies), you should consider obtaining a Provisional Authority to Operate (P-ATO) from the Joint Authority Board. When the JAB grants the P-ATO, the JAB will share a recommendation to all Federal Agencies about whether your cloud service has an acceptable risk posture for federal agencies’ use.
Getting a JAB P-ATO is an incredibly involved process. The JAB has limited resources and is only able to evaluate a limited number of cloud service providers each year. As a vendor seeking JAB P-ATO, you must provide proof of demand for your service from Agencies (e.g., a list of customers). The JAB uses such information to determine which vendors to prioritize in its evaluations. After a vendor is prioritized, it has 60 days to receive a FedRAMP Ready designation.
To achieve a FedRAMP Ready designation, you will have to partner with an accredited third-party assessment organization (3PAO) to complete a readiness assessment of your service offering. This assessment is designed to help an organization understand any gaps in their environment prior to beginning a FedRAMP assessment. The 3PAO will deliver a Readiness Assessment Report (RAR) if it can attest to the CSO’s readiness for the authorization process.
After you’re prioritized to work with the JAB and deemed FedRAMP Ready, you will complete a System Security Plan and engage with an accredited 3PAO for the full assessment. Once this assessment is complete, you must submit a full package of documents (more details later) to the JAB. At this point, you are finally able to move to the final phase: the authorization phase.
During the authorization phase, the 3PAO, the JAB, and the FedRAMP Project Management Organization (PMO) will conduct a deep dive into your service offering, security capabilities, and risk exposure. If the results from this initial deep-dive look good, the JAB conducts another in-depth review. If this in-depth review goes well, then the JAB issues a formal P-ATO decision, which provides an assurance to federal agencies that the risk posture of the system has been reviewed and approved by the DoD, DHS, and GSA.
This process will take months to complete.
FedRAMP Agency ATO
If you want to gain authorization to work with a single federal agency in a shorter amount of time or if your product has niche demand, you can work directly with an agency to obtain a FedRAMP Agency Authority to Operate (ATO). This path is somewhat less intensive than the JAB path because you don’t need to provide proof of demand for your service from multiple Agencies, and you don’t need to go through reviews with the JAB. Rather, you work directly with a single agency to go through an authorization process.
Step 3. Determine the security impact level and security objective for your application
FedRAMP categorizes Cloud Service Providers (CSPs) into one of three security impact levels (Low, Moderate, and High) and lays out different security control requirements for each level.
Low impact: Low impact is most appropriate for systems where the loss of confidentiality, integrity, and availability would result in limited adverse effects on an agency’s operations, assets, or individuals. Generally, these are applications that do not store personal identifiable information (PII) beyond that generally required for login capability (i.e. username, password, and email address).
Moderate impact: Moderate Impact systems account for nearly 80% of CSP applications that receive FedRAMP authorization and are most appropriate for CSOs where the loss of confidentiality, integrity, and availability would result in serious adverse effects on an agency’s operations, assets, or individuals. Serious adverse effects could include significant operational damage to agency assets, financial loss, or individual harm that is no loss of life or physical.
High impact: High impact data is usually in Law Enforcement and Emergency Services systems, Financial systems, Health systems, and any other system where the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
FedRAMP also categorizes covered entities across three security objectives: Confidentiality, Integrity, and Availability.
|Confidentiality||Information access and disclosure include means for protecting personal privacy and proprietary information||Access to John Doe’s personal information is sufficiently restricted for the purpose of privacy|
|Integrity||The stored information is sufficiently guarded against modification.||Susan Smith lacks the appropriate access and cannot modify John Doe’s security information.|
|Availability||Timely and reliable access to information is ensured.||John Doe can reliably access secure work data.|
You will need to use the FedRAMP FIPS 199 Categorization Template along with the guidance of NIST Special Publication 800-60 volume 2 Revision 1 to correctly categorize your systems based on the types of information processed, stored, and transmitted on your systems.
Step 4: Implement security controls
Once you’ve determined the correct impact level for your system, you will need to fulfill the requirements outlined in the FedRAMP Security Controls baseline that matches your security impact level.
What types of security controls does FedRAMP require?
The FedRAMP Joint Authorization Board (JAB) used the NIST SP 800-53 catalog of controls as a baseline for FedRAMP and made certain modifications to address the unique risks of cloud computing environments, including but not limited to multi-tenancy, visibility, control/responsibility, shared resource pooling, and trust.
The FedRAMP requirements and controls span across the following domains:
- Access Control
- Awareness and Training
- Audit and Accountability
- Security Assessment and Authorization
- Configuration Management
- Contingency Planning
- Identification and Authentication
- Incident Response
- Media Protection
- Physical and Environmental Protection
- System Security Planning
- Personnel Security
- Risk Assessment
- System and Services Acquisition
- System and Communications Protection
- System and Information Integrity
You can download FedRAMP Security Controls Baseline here.
It’s likely that many controls are already implemented within your organization and just need to be described adequately within the FedRAMP templates. Some controls might require the implementation of new tools, and others may require configuration changes to existing systems.
Keep in mind that implementing the FedRAMP Security Controls Baseline is the minimum you’ll need to do. The federal agency you want to work with may require additional security controls above the baseline. As such, you may need to alter certain parameters to adequately address your customer’s needs.
Step 5: Document your control set
Once you’ve implemented the appropriate set of controls to fulfill FedRAMP requirements, you will need to document the details of the implementation in a System Security Plan (SSP), a document that describes the security authorization boundary, how the implementation meets requirements, roles and responsibilities, and expected behavior of individuals with system access. You can download the SSP template on www.fedramp.gov.
Step 6: Prepare supporting documents
FedRAMP requires each cloud provider to submit a package of supporting documents along with their SSP. These supporting documents include an e-Authentication Worksheet, a Privacy Threshold Analysis (and if applicable, a Privacy Impact Assessment), the CSP’s Information Security Policies, a User Guide for the cloud service, Rules of Behavior, an IT Contingency Plan, a Configuration Management Plan, a Control Information Summary (CIS), and an Incident Response Plan. Templates for these documents can be downloaded from www.fedramp.gov.
Once your documentation is complete, you’ll need to hire an independent assessor to test your information system to verify that the controls are effective and implemented as outlined in the SSP.
If you would like to receive a P-ATO from the JAB, you’ll need to use a third-party assessment organization (3PAO) — an organization that’s accredited by the American Association for Laboratory Accreditation (A2LA) to provide an independent assessment — to perform the test. If you are simply seeking an ATO from a federal Agency, you could use a non-accredited independent assessor (IA).
Once the testing is complete, the IA or 3PAO will issue a Security Assessment Report (SAR) that contains information about vulnerabilities, threats, and risks discovered during the testing process, as well as guidance for your firm in mitigating the security weaknesses discovered.
You’ll have a chance to review the report and ensure that your assessor had up-to-date and relevant information to create the report. Once you and your assessor have finished your reviews, the assessor will share the report with the security team at the Agency you want to work with or the JAB.
Meanwhile, you’ll also need to develop a Plan of Action & Milestones (POA&M) that addresses the specific vulnerabilities noted in the Security Assessment Report and submit this to the security team at the Agency you want to work with or the JAB.
Once you have completed your assessment and the associated deliverables, you’ll need to submit the entire security package to the authorizing official (AO) at the federal agency you’re working with or the JAB. The AO or the JAB will review them and either approve them or request that additional testing take place. A final review is then conducted, and if the agency accepts the risk associated with the use of the system, they provide an Authority to Operate (ATO) letter signed by the Authorizing Official to your organization.
After receiving the ATO, your work isn’t done. To maintain your authorization, you’ll need to implement continuous monitoring, continue to meet the FedRAMP requirements, and keep an appropriate risk level associated with your security impact level. If your organization fails these steps, the Agency you work with or the JAB can choose to revoke the authorization. You can learn more about the authorization process by reviewing the Agency Authorization page and the FedRAMP Agency Authorization Playbook.
What Tools can Make It Easier to Manage Your FedRAMP Compliance Effort?
If you need to ensure compliance with FedRAMP requirements and maintain your Authority to Operate (ATO), Hyperproof’s compliance operations software can make that work simpler and faster.
Hyperproof allows you to easily see the requirements and controls for the FedRAMP Security Controls baseline so you can start tailoring each control to your customer’s requirements, collect evidence of controls’ operating effectiveness, and automate repetitive administrative tasks associated with the compliance effort.
Hyperproof’s CrossWalks feature allows you to easily leverage your existing security controls to meet FedRAMP requirements. Hyperproof has done the hard work of mapping out the relationships between various cybersecurity frameworks, so we know which requirements and controls are common across frameworks and/or standards.
As such, if you already have a robust security program that’s managed in Hyperproof, our software can tell you which of your existing controls can be applied to satisfy FedRAMP requirements to help you avoid creating duplicate controls.
Conversely, if you’ve implemented all FedRAMP security controls in Hyperproof and you’re considering becoming compliant with another infosec framework, Hyperproof can tell you which FedRAMP controls are similar to those required by the target framework so you can fully implement the target framework in a shorter amount of time.
Beyond features that help you document your compliance with FedRAMP security controls, Hyperproof is also built to help you run a continuous monitoring program over time. Hyperproof provides analytics and dashboards to help security and compliance leaders monitor their controls over time.
Hyperproof makes it easy to see whether someone has dropped the ball on control and re-assign control ownership as needed. For instance, with Hyperproof you can specify that John, an IT Security Analyst, needs to coordinate with an Approved Scanning Vendor to conduct a scan of your network on a quarterly basis and penetration testing once a quarter.
Then, through Hyperproof’s dashboards, you can easily see if evidence has been provided that demonstrates the network scan has been performed. A compliance manager can also easily re-assign this task to someone else if John — the original control performer — has left your organization or is out of the office.
If you’re interested in learning more about how to use Hyperproof to implement FedRAMP, we’d love to talk.