What is FedRAMP?
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework that saves cost, time, and staff required to conduct redundant Agency security assessments.
Is FedRAMP mandatory?
Yes, FedRAMP is mandatory for Federal Agency cloud deployments and service models at the low, moderate, and high risk impact levels. Private cloud deployments intended for single organizations and implemented fully within federal facilities are the only exception. Additionally, Agencies must submit a quarterly report in PortfolioStat listing all existing cloud services that do not meet FedRAMP requirements with the appropriate rationale and proposed resolutions for achieving compliance.
What is the difference between FISMA and FedRAMP controls?
Both FedRAMP and FISMA use the NIST SP 800-53 security controls. The FedRAMP security controls are based on NIST SP 800-53 Revision 4 baselines and contain controls above the NIST baseline that address the unique elements of cloud computing.
How will FedRAMP help make cloud computing more secure for the federal government?
FedRAMP requirements include additional controls above the standard NIST baseline controls in NIST SP 800-53 Revision 4. These additional controls address the unique elements of cloud computing to ensure all federal data is secure in cloud environments.
What is an Authority to Operate (ATO) and Provisional Authority to Operate (P-ATO) and how are they issued?
There are two types of FedRAMP authorizations for cloud services:
- A Provisional Authority to Operate (P-ATO) through the Joint Authorization Board (JAB)
- An Agency Authority to Operate (ATO)
A FedRAMP P-ATO is an initial approval of the CSP authorization package by the JAB that an Agency can leverage to grant an ATO for the acquisition and use of the cloud service within their Agency. The JAB consists of the Chief Information Officers (CIOs) from DOD, DHS, and GSA, supported by designated technical representatives (TRs) from their respective member organizations. A P-ATO means that the JAB has reviewed the cloud service’s authorization package and provided a provisional approval for Federal Agencies to leverage when granting an ATO for a cloud system. For a cloud service to enter the JAB process, it must first be prioritized through FedRAMP Connect.
Agency ATO Process
As part of the Agency authorization process, a CSP works directly with the Agency sponsor who reviews the cloud service’s security package. After completing a security assessment, the head of an Agency (or their designee) can grant an ATO. For more information about these two authorization paths, please visit our Get Authorized page
What is the distinction between “FedRAMP Authorized” and “FedRAMP Ready”? How do Agencies access and approve security authorization packages?
The main distinction is that FedRAMP Ready systems are not FedRAMP Authorized. In short, FedRAMP Ready systems must still undergo an authorization process, while FedRAMP Authorized systems have completed the process at least once already.
FedRAMP Ready indicates that a Third Party Assessment Organization (3PAO) attests to a cloud service’s readiness for the authorization process, and that a Readiness Assessment Report (RAR) has been reviewed and approved by the FedRAMP PMO. The RAR documents the cloud service’s capability to meet FedRAMP security requirements. The FedRAMP Ready designation is also required for any cloud service to enter the Joint Authorization Board (JAB) Provisional Authority to Operate (P-ATO) process.
FedRAMP Authorized, by comparison, is a designation that is given to systems that have completed the FedRAMP authorization process.
Agencies can review the list of FedRAMP Authorized systems in the FedRAMP Marketplace to determine if they are suitable for their use and can issue Agency ATOs. Agency personnel can request access to FedRAMP Agency authorization packages in the FedRAMP Secure Repository by completing an access request form.
What are the requirements to use the FedRAMP logo on a CSP’s marketing materials?
Accredited 3PAOs and CSPs who have successfully achieved FedRAMP Ready or FedRAMP Authorized may use the FedRAMP logo. Use of the FedRAMP logo in conjunction with qualified products or services (i.e. an approved 3PAO) does not require approval. The FedRAMP PMO must approve any major educational or promotional campaigns that feature the FedRAMP logo prior to use. The submitted materials will be reviewed for consistency with these guidelines within two (2) weeks of receipt of the materials. Materials should be submitted to the FedRAMP Director at firstname.lastname@example.org with the following in the subject line: “FedRAMP Branding Review.”
Please review the FedRAMP Branding Guidance for more answers to your FedRAMP logo questions.
My company is looking to obtain FedRAMP certification for one of our existing cloud products. I have executive support and an Agency sponsor. How do I get started?
Are cloud services that are listed as “In Process” considered FedRAMP compliant?
Cloud services “In Process” should not present themselves as FedRAMP compliant to Agencies. A cloud service posted as “In Process” on fedramp.gov only indicates that they are working with the Joint Authorization Board (JAB) or an Agency to attain a FedRAMP authorization. To learn more information on how a CSP can become “In Process” please refer to our Agency Authorization: Obtaining In Process Designation document.
How does an Agency leverage an existing FedRAMP JAB or Agency authorization package?
In accordance with FISMA, only the head of an Agency or appointed designee, the Authorizing Official (AO), can make the risk-based determination to use IT systems. FedRAMP cannot make decisions for Federal Agencies or accept risk on their behalf. The JAB authorization process helps to establish an initial review and approval that Agencies can leverage during their own authorization process.
With some cloud service offerings, the JAB reviews the risk posture of cloud systems and provides provisional authorizations (P-ATOs) based on the submitted security package. Once a package has been granted a P-ATO, a P-ATO letter is created.
The Agency AO can then leverage a P-ATO or other Agency ATO, including all supporting documentation, when making a risk-based decision to grant an Agency ATO. Each Agency that is considering using the system should review the P-ATO/ATO letter as well as the package itself before deciding whether or not to use the system. Agencies can review the authorization packages that are available by submitting a FedRAMP Package Request Form. If the Agency wants to use the system, the Agency must create its own ATO letter to show that they are accepting the risk associated with the system. Agencies should provide the FedRAMP PMO copies of the leveraging ATO letters.
If an Agency adds additional security controls, how can other Agencies leverage those additional controls?
CSPs can include these additional security controls with their FedRAMP Authority to Operate (ATO) packages available for leveraging within the FedRAMP repository.
Who can access the secure repository to view authorization packages?
Federal government employees with an OMB MAX account are allowed to review authorization packages in OMB MAX. Federal government contractors can also access authorization packages, provided they have an OMB MAX account and written authorization from a government employee to view a particular CSP’s package.
Unfortunately, state and local government employees are not allowed to review FedRAMP security documentation. State and local government representatives are encouraged to contact any FedRAMP Authorized CSP directly to determine their security package specifications.
Who are the Authorized FedRAMP Approvers for Federal Agencies?
The FedRAMP approver to sign off on your Package Access Request form is either your Agency’s Chief Information Security Officer (CISO) or Designated Approving Authority (DAA). If the form is signed by a DAA, that person must be at a level that has the authority to grant an ATO for a system. Unfortunately, FedRAMP does not keep a listing of Agency CISOs or DAAs. You will have to get that information from your Agency.
Who is responsible for the cloud security controls?
The responsibility for the controls will depend on the solution. In summary, the CSP and Agency will be responsible for some specific controls, and both parties will share responsibility for other controls. The CSP develops a Control Implementation Summary (CIS) that contains a matrix outlining which controls are CSP-provided, Agency/customer-provided, and hybrid. The CSP develops a System Security Plan (SSP) that further describes the responsibilities for the controls and how exactly the control is implemented by each responsible entity. Both the CIS template and the SSP template are on the FedRAMP website.
Do the FedRAMP security controls restrict data to reside only within the United States?
There are no FedRAMP requirements restricting data to within the United States. There are multiple security controls that detail where data is stored, what the boundary of the system is, and where and how data in transit is protected. Some CSPs with FedRAMP Authorized systems are located globally, although the majority of service providers do restrict their data to the United States. It is up to each individual Agency and Authorizing Official to place restrictions, if needed, on data location.
If an Agency purchases an outsourced service (software) that is built on top of a cloud platform, how is that handled within FedRAMP?
Obtaining a FedRAMP authorization requires all system components be assessed based on the control requirements in the FedRAMP baseline. If a FedRAMP authorized IaaS is leveraged, the Agency only needs to assess controls that are not addressed by the managed IaaS provider. If a SaaS is hosted on a FedRAMP-authorized IaaS, the SaaS vendor would need to have a separate FedRAMP authorization. The IaaS authorization would remain as-is and then the SaaS would leverage/re-use the IaaS authorization and applicable security controls (for the IaaS portion of requirements). If a SaaS or PaaS is leveraging a non-FedRAMP authorized infrastructure, then the entire FedRAMP stack would need to be authorized together.
If a SaaS or PaaS resides on a FedRAMP Authorized infrastructure, does that mean it is also FedRAMP Authorized?
No, using a FedRAMP Authorized infrastructure does not automatically make your service FedRAMP compliant. Each layer (i.e. IaaS, PaaS, and SaaS) must be evaluated on its own and be FedRAMP Authorized. However, when your software sits on a FedRAMP Authorized infrastructure, it will inherit controls from that authorized system and you can explain this in your documentation.
Are third-party vendors required to be FedRAMP authorized?
Depending on the services being offered, the third-party vendor does not necessarily have to be FedRAMP compliant, but there are security controls you must make sure they adhere to. If there is a connection to the third-party vendor, they should be listed in the System Security Plan in the Interconnection Table. You can also search through the System Security Plan template and search on “third-party” or “third party” and see all of the security controls that apply to third-party vendors. Talk to your Authorizing Official to determine how best to handle third-party vendor offerings.
For cloud services that are authorized, what happens if the CSP changes the infrastructure of the system?
A change in infrastructure would be considered a significant change that would need to be evaluated for the severity of the change, impact on the risk posture, and could possibly result in the need for re-authorization.
Are there specific categories of routine/non-routine changes?
Significant change is defined by CA-6 in NIST 800-53 Revision 4. The list of the types of changes which will require notification versus updated documentation and/or reauthorization include:
- Changes to points of contact
- Changes in risk posture
- Change in system boundary (including new services)
Routine changes are generally documented in a CSP’s configuration management plan. Configuration management plans are reviewed and approved by authorizing officials.
Who published the latest version SP 800-53 Revision 4 and what security risk concerns do the security controls cover?
The framework for FedRAMP is the SP 800-53 security controls as published by NIST. These security controls holistically cover all major concerns for security risks for information systems and can be tailored to address unique considerations such as those for cloud systems.
How does FedRAMP handle TIC requirements in the cloud?
TIC compliant architectures are required through the FedRAMP security controls baseline. TIC compliance is a hybrid responsibility with CSPs needing to have an architecture that supports TIC and Agencies enforcing TIC routing and compliance.
During an assessment, are “on the spot” fixes acceptable? Or will it still need to be written up?
“On the spot” fixes are acceptable. However, this should be reported in the Security Assessment Report (SAR) as discovered, addressed, and verified by the independent assessor.
Is a penetration test required for FedRAMP ATO?
Yes, an independent auditor (i.e., 3PAO) must perform an announced penetration test as part of the assessment/testing process.
How does a company become a FedRAMP accredited Third Party Assessment Organization (3PAO)? How is the independence and quality of a 3PAO validated? Who pays for the 3PAO’s services?
Organizations that wish to be an approved FedRAMP assessor must be assessed by the American Association for Laboratory Accreditation (A2LA) to the requirements of ISO/IEC 17020:2012 Requirements for the Operation of Various Types of Bodies Performing Inspection. More information on becoming an accredited 3PAO may be found on the A2LA web page, however FedRAMP is not currently accepting new 3PAO applications.
The FedRAMP Program Management Office (PMO) assesses the quality of accredited 3PAO’s work by reviewing their CSP assessment reports. If the FedRAMP PMO has concerns about the quality or completeness of a 3PAO’s report, they will work with the FedRAMP accreditation organization, A2LA, to determine whether the 3PAO can still meet the accreditation requirements.
The payment of a 3PAO is a contract issue between a CSP and Authorizing Official, though typically a CSP will pay for the 3PAO assessment. CSPs pursuing a FedRAMP Ready designation are responsible for paying the 3PAO participating in that process. The FedRAMP conformity assessment process ensures independence regardless of who pays for the 3PAO assessment.
Why should a CSP use an independent assessment organization and when is it required?
Independent assessors perform initial and ongoing independent verification and validation of the security controls deployed within the CSP’s information system. CSPs that go through the FedRAMP JAB P-ATO process must use an approved Third Party Assessment Organization (3PAO) to provide an independent verification and validation of the security implementations required by FedRAMP. A FedRAMP approved 3PAO is optional for FedRAMP Agency authorization packages.
Can a non-accredited 3PAO provide readiness assessment services to CSPs prior to an accredited 3PAO assessing them for FedRAMP?
CSPs can partner with any service provider or consulting firm to prepare for the authorization process. Accredited 3PAOs are only required as the independent assessor when working with the Joint Authorization Board (JAB) for a Provisional Authority to Operate (P-ATO), submitting a Readiness Assessment Report (RAR) to be deemed FedRAMP Ready, or if required by an Agency (which is generally recommended by the FedRAMP PMO).
What is the role of the 3PAO in continuous monitoring?
CSPs must use a FedRAMP approved 3PAO for annual assessments of its cloud system and to evaluate the impact of some changes a CSP makes to its cloud system.
Who will do the continuous monitoring and ongoing authorization of the cloud systems that have been authorized by an Agency?
As a part of the FedRAMP requirements, Federal Agencies must implement a continuous monitoring program for any cloud system they deploy. FedRAMP requirements for continuous monitoring work to coordinate ongoing security across CSPs and Agencies in accordance with DHS policies and guidance. However, Agencies have ultimate responsibility for the continuous monitoring and ongoing authorization of the systems they use.
How is the continuous monitoring process for an Agency ATO governed?
Initially, the first Agency to grant an Authority to Operate (ATO) for a cloud service is responsible for ensuring that the CSP fulfills its responsibilities to perform continuous monitoring. It is the responsibility of all leveraging Agencies to review continuous monitoring deliverables from CSPs that have an Agency ATO (as well as to review the continuous monitoring artifacts for those that leveraged a P-ATO issued by the JAB).
The CSP should work with Agencies to determine the best method to distribute continuous monitoring materials, which could be centralized across multiple Agencies. If Agencies have similar continuous monitoring requirements, it may be possible to develop a group of Agency representatives to review continuous monitoring artifacts. See the FedRAMP Guide for Multi-Agency Continuous Monitoring for additional guidance. CSPs can use the OMB MAX secure repository to store continuous monitoring artifacts if it is required by an Agency. Agencies are not required to upload continuous monitoring documents to the repository.
FedRAMP provides continuous monitoring templates for CSPs and Agencies to use in support of continuous monitoring. For more information, see the Continuous Monitoring Strategy Guide on the FedRAMP website.
How long does a CSP have to remediate a POA&M and does this apply to all system levels?
A CSP has 30 days for remediating high POA&M items, 90 days for remediating moderate POA&M items, and 180 days to remediate low POA&M items.
Is continuous monitoring periodically reported or a real-time monitoring of critical metrics?
Currently, continuous monitoring is periodically reported. Cloud systems must provide monthly OS, database, and web application vulnerability scanning reports.
What mechanisms are in place for Agencies to manage CSPs that are about to lose their cloud service’s authorization?
For any Agency using a CSP, they should monitor CSP’s performance through continuous monitoring (regardless of JAB or Agency ATO), and if there are any issues with a CSP’s performance, they should enforce performance requirements via their contracts.The FedRAMP PMO provides guidance on the revocation of ATOs based on CSP performance under continuous monitoring post authorization in the Continuous Monitoring Performance Management Guide. This document explains the actions FedRAMP will take when a CSP fails to maintain an adequate risk management program. It lays out the escalation processes and procedures as well as minimum mandatory escalation actions FedRAMP will take when a CSP fails to meet the requirements of the P-ATO. It also specifically addresses FedRAMP P-ATOs maintained by the JAB and enables FedRAMP to provide effective oversight of the CSP Continuous Monitoring programs.
Where is the FedRAMP documentation maintained? How is the FedRAMP community notified of new documents posted for public comment?
FedRAMP documentation is maintained on fedramp.gov. Opportunities for large-scale public comment periods will be messaged via a number of channels and methods, including the fedramp.gov website, blog, and the FedRAMP updates email list which you can subscribe to the here.
Is the cost of a FedRAMP authorization a barrier to entry for small businesses?
The FedRAMP model of “do once, use many times” actually removes a barrier to entry for small businesses to work with Federal Agencies. Instead of CSPs having to expend resources for security authorizations with each Federal Agency customer, they can complete a FedRAMP authorization once and reuse with subsequent Federal Agency customers – saving both time and money. For more information about achieving a FedRAMP authorization as a small business, please read our latest blog on the subject here.