FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by the US government. Because its goal is to protect US citizen data in the cloud, it is government’s most rigorous security compliance framework.
Before FedRAMP, vendors were faced with different requirements for each Agency they worked with, which meant they had to prepare authorization packages for each one. FedRAMP implemented standard security baselines and processes to provide both an initial authorization of a cloud service and a mechanism for that security package to be reused across the federal government. This saves time, money, and effort for both Agencies and Cloud Service Providers (CSPs).
In addition to FedRAMP’s stamp of security approval, FedRAMP authorization provides CSPs the benefit of strengthened government confidence in the CSP’s cloud services and a listing in the FedRAMP Marketplace, increasing visibility of their product across government.
FedRAMP Authorization: A CSP’s Perspective
CSPs whose services are currently being used by the federal government or are interested in selling their cloud service to the federal government should obtain a FedRAMP authorization, per OMB memorandum. CSPs considering pursuing a FedRAMP Authorization should review the Security Assessment Framework and become familiar with FedRAMP’s four process areas: Document, Assess, Authorize, and Monitor, which align to the NIST Risk Management Framework (RMF) covered in NIST SP 800-37.
Once a CSP has decided a FedRAMP Authorization might be right for their cloud service, it is recommend that the CSP begin to review FedRAMP’s documents, templates, and other resources available on the FedRAMP website. CSPs should also complete FedRAMP Training, including the mandatory FedRAMP System Security Plan (SSP) Required Documents (200-A) module. Once familiar with the requirements of a FedRAMP Authorization, CSPs should complete a CSP Information Form, which will trigger the FedRAMP Program Management Office (PMO) to set up a consultative intake call with our technical and government SMEs. During this call you will discuss your system and the best authorization strategy for you.
CSPs that successfully navigate the pre-authorization phase:
- Establish strong partnerships with Agency customers and document Agency interest in their offering becoming FedRAMP Authorized through RFIs, RFP, and RFQs
- Identify and establish a partnership with a FedRAMP-approved Third Party Assessment Organization (3PAO)
- Ensure that the service offering has implemented the necessary FedRAMP security controls in accordance with appropriate data impact level as described in FIPS PUB 199 (i.e. High, Moderate, Low, Low-Impact SaaS)
CSPs that have demonstrated sufficient demand, or have identified one or more initial authorizing Agency for their services, must then pursue a Joint Authorization Board (JAB) provisional authorization and/or an initial Agency authorization. In order to pursue a JAB Authorization, CSPs must be prioritized to work with the JAB toward a Provisional Authority to Operate (P-ATO) through the FedRAMP Connect process. The FedRAMP PMO has defined the JAB criteria in our FedRAMP JAB P-ATO Prioritization Criteria document for your reference. In order to pursue a Agency Authorization, CSPs must become “In Process” with their initial authorizing Agencies. Guidelines on the requirements to be designated as FedRAMP “In Process” are detailed in our Agency Authorization: Obtaining In Process Designation document.
CSPs that have demonstrated sufficient demand and have been prioritized to work with the JAB, or have identified one or more initial authorizing Agencies for their services and have been deemed “In Process”, can then begin the authorization process. For more information about JAB and Agency authorizations, please visit our JAB Authorization and Agency Authorization pages.
At a high level, the authorization process includes:
- Package Development: This includes an Authorization Kick-Off meeting with representatives from the CSP, partnering Agency, 3PAO, and FedRAMP PMO. The CSP then completes the System Security Plan (SSP) and attachments and the 3PAO develops the Security Assessment Plan (SAP).
- Assessment: The 3PAO completes testing and submits the Security Assessment Report (SAR). The CSP then creates the Plan of Action & Milestones (POA&M) based on the findings from testing.
- Authorization: The authorizing party (either an Agency or the JAB) reviews the security package and decides whether or not to accept the risk posture associated with the system. If accepted, the authorizing party grants an authorization for the CSP’s service offering (either an Agency Authority to Operate (ATO) or a JAB P-ATO). An ATO letter is submitted to the FedRAMP PMO, and the CSP is listed in the FedRAMP Marketplace as a FedRAMP authorized vendor.
Once the service offering is authorized, the CSP must provide monthly continuous monitoring deliverables to the Agency (or Agencies) that are using the service. The monthly continuous monitoring deliverables should be reviewed by each Agency, but do not need to be shared with the FedRAMP PMO.
“Do Once, Use Many Times”
FedRAMP was designed so that once a cloud service offering has been authorized once, Agencies can review the existing authorization package and grant ATOs for their organizations to use the service. This prevents CSPs and Agencies from duplicating work that has already been done as part of the initial authorization, saving time and money.
Once a service offering has been authorized, it is listed in the FedRAMP Marketplace. The FedRAMP PMO encourages Agencies to use the Marketplace to find services that meet their needs, knowing that any service listed in the Marketplace meets federal security requirements and has already been authorized.