Case Study: NSF Achieved an Agency Authorization in Four Months
Over the last two years, we have evolved the way we engage with the FedRAMP community. Throughout this transformation we have kept three goals in mind: reduce the authorization timeline without compromising security rigor, increase transparency, and strengthen the FedRAMP community/marketplace. One of the FedRAMP PMO’s critical work streams in meeting these goals is rooted in the FedRAMP agency authorization process. **
To that end, we’ve decided to share some best practices for going through the agency authorization process by highlighting our work with the National Science Foundation (NSF), who achieved a FedRAMP Agency Authorization in just four months. More details on this can be found in our downloadable NSF Case Study.
We attribute NSF’s success to a number of factors, which we have culled into a list of four best practices:
Acknowledge the expertise required: Federal security requirements can be difficult to interpret and therefore, difficult to implement. Having knowledgeable agency and CSP personnel associated with FISMA, FedRAMP, and NIST security controls on board is key to creating efficiencies in the authorization timeline.
Collaborate early and often: It is critical to involve all partners , FedRAMP, the CSP, 3PAO, and the agency , as early as possible. This enables the collective group to promptly handle the key logistic and strategic components from the beginning of the project. This could include designating roles and responsibilities with key agency, CSP, and 3PAO personnel, clarifying expectations associated with the authorization timeline and FedRAMP deliverables, establishing a shared perspective on technical requirements, components included within the authorization boundary (and outside the boundary), and identifying early on any deltas/gaps associated with the cloud service offering and security requirements (controls).
Create a committed and accountable partnership: NSF and the CSP acknowledged the criticality of achieving an ATO, and both committed to its success. Once this commitment was established, NSF and the CSP were both accountable to the plan, their respective responsibilities, and the way forward.
Engage leadership at all levels: Gaining leadership buy-in at the highest levels of the organization (agency and CSP) early on ensured appropriate resources were allocated throughout the authorization process. Additionally, informing senior leadership of critical risks associated with project scope, cost, or schedule developed a sustained commitment from all stakeholders throughout the lifecycle of the project.
The NSF case study not only demonstrated what can be accomplished when FedRAMP and its partners work together, but it also transformed the way the FedRAMP PMO works with agencies. The PMO now publishes the “Agency ATO Review Guide”, a checklist that we share with agencies in the beginning of the process, so they know what we are looking at when we review packages.
If you have additional questions about the agency authorization process, please don’t hesitate to reach out to firstname.lastname@example.org.