In a constantly changing IT landscape, the migration of on-premise technologies to the cloud has only increased. Agencies have the opportunity to save money and time by adopting innovative cloud services to meet their critical mission needs. Agencies are required by law to protect any federal information that is collected, maintained, processed, disseminated, or disposed of by cloud service offerings, in accordance with FedRAMP requirements.
FedRAMP is a unique government program that is at the epicenter of cloud technology, cybersecurity, and risk management. FedRAMP provides a standardized framework to security assessment, authorization, and continuous monitoring for cloud products and services. This framework uses a “do once, use many times” approach that saves an estimated 30-40% of government authorization costs, by reducing both time and staff required to conduct Agency security assessments. FedRAMP maintains a Marketplace of all vendors that hold a FedRAMP designation, as well as a Secure Repository for all of the authorization packages for FedRAMP Authorized vendors.
FedRAMP Authorization: An Agency’s Perspective
FedRAMP facilitates collaboration across the federal government and enables effective stakeholder alignment during the FedRAMP authorization process. Prior to engaging a Cloud Service Provider (CSP), it is important that agencies understand their technical requirements, to include determination of the type of cloud service/scope of services needed, cloud deployment model, data sensitivities, and other pertinent information.
Agencies should begin by defining their mission needs and specific requirements for a Cloud Services Offering (CSO), and research potential providers. We recommend agencies first check the FedRAMP Marketplace to see if there is a CSO that meets their needs that has already started the FedRAMP process or is authorized. Agencies interested in a CSO that is already FedRAMP Authorized should request access to their package through our Package Request Form. Agencies interested in a CSO that is In Process should inquire about their status by contacting the CSP directly, or emailing firstname.lastname@example.org.
Agencies interested in acquiring a provider that is not yet FedRAMP Authorized or FedRAMP In Process should contact the PMO to learn more about how to partner with the CSP to issue a FedRAMP authorization. We recommend reviewing our Agency Authorization Playbook for more information on the Initial Authorization process, and our In Process Requirements for information about how to establish a partnership with a CSP.
Agencies having difficulty selecting a CSO should reach out to email@example.com. The PMO would be happy discuss options and share lessons learned from other Agencies.
To issue an Authority to Operate (ATO) for a provider that is already FedRAMP Authorized, Agencies should:
- Conduct a risk analysis by reviewing the CSP authorization package
- Determine if the risk posture is acceptable
- Determine if the CSP needs to meet additional requirements for Agency mission/business needs
- Approve the CSP package for authorization
- Issue an ATO for the CSP service/system
- Send the ATO letter to the FedRAMP PMO at firstname.lastname@example.org
If an Agency is working with a CSP who is not yet FedRAMP Authorized, they will perform the initial authorization for the CSO. An Agency should first communicate their partnership with FedRAMP in accordance with our In Process Requirements. The authorization process begins with a kick-off discussion among all stakeholders. Following kick-off, the CSP and assessor begin system vulnerability testing of the cloud service offering and consolidate security documentation within the security authorization package. An Agency’s role in authorization is to:
- Maintain open communication with the CSP and independent assessor to provide clarity and answer questions regarding specific security control requirements
- Review the CSP security authorization package, which includes:
- System Security Plan (SSP) detailing the CSP’s system security environment
- System Assessment Plan (SAP) detailing the independent assessor's approach for vulnerability testing of the CSP’s system
- System Assessment Report (SAR) detailing the independent assessor’s findings and recommendations pursuant to performance of the SAP
- Plan of Actions and Milestones (POA&M) detailing the CSP's and independent assessor’s approach to addressing or identifying system vulnerabilities as well as the approach to continuous monitoring of the system
- Direct the CSP for remediation of security vulnerabilities identified in the SAR, as needed
- Perform final review of a security authorization package, with a focus toward understanding the risk posture the Agency must accept by using the cloud service
If an Agency accepts the risk posture illustrated by a CSP’s security authorization package, it falls to the Agency Authorizing Offical (AO) to issue an Authority to Operate (ATO) letter. Submission of the ATO letter to the CSP and FedRAMP imparts authorization status and prompts listing of the cloud service in the FedRAMP Marketplace.
The FedRAMP PMO recommends agencies review the Agency Authorization Playbook for more information about roles and responsibilities, best practices, and resources available to support them in the authorization process.
It is incumbent upon each Agency to ensure the risk posture that was agreed upon at the time of authorization remains consistent throughout the lifecycle of the system at that Agency. Continuous monitoring of a cloud system includes monthly meetings between an Agency and CSP to review a system’s high-level transaction reports, security scans, and updated POA&M. Agencies should also assess CSPs annually, reviewing details about system changes and updates, and ensuring compliance with the originally accepted risk posture.
As part of continuous monitoring, FedRAMP recommends the following best practices:
- Perform system scanning at least monthly, with a recommendation for even greater frequency
- Require the CSP to seek approval following monthly and annual assessments as an operational requirement (OR) for continued use of the system
- Validate the remediation of system vulnerabilities within 30 days of discovery of high and critical vulnerabilities. Validate the remediation of system vulnerabilities within 90 days of discovery for moderate vulnerabilities. Validate the remediation of system vulnerabilities within 180 days of discovery for low vulnerabilities.
- Reach out to the FedRAMP PMO at email@example.com for support during continuous monitoring and to address any gaps in received information from CSPs
Agencies can find further detail regarding the level of effort and approach to authorization in FedRAMP’s Agency Authorization Playbook.
FedRAMP is an example of a true partnership between the public sector and industry; there are over 120 Federal Agencies and 160+ industry partners actively engaged with the program. It is one of our priorities to support Agencies and their journey to innovate, modernize, save time and money, and protect citizen data using the latest cloud technologies. We are here to assist and guide Agencies through the FedRAMP authorization process, as well as promote collaboration across the federal government. If we can be of any support, please do not hesitate to contact us at firstname.lastname@example.org.