New Requirements for Agency FedRAMP In Process Designation
We recently released updated guidance for Cloud Service Providers (CSPs) on how to obtain the “FedRAMP In Process” designation, specific to FedRAMP Agency Authorizations. Once a CSP is deemed as “FedRAMP In Process,” they are placed on the FedRAMP Marketplace, which highlights Cloud Service Offerings (CSOs) with FedRAMP designations (e.g. FedRAMP Ready, FedRAMP In Process and FedRAMP Authorized). The new In Process criteria ensures the information on the FedRAMP Marketplace is as accurate and up-to-date as possible.
The In Process designation indicates to agencies that a CSP is actively working toward a FedRAMP authorization. While the latest updates to the In Process guidance may seem more stringent than before, the changes help ensure that the designation is accurate and reflects that agencies and CSPs are actively working towards a FedRAMP Agency authorization with defined timelines and goal dates.
Why We Made Changes
One of the many best practices we learned through FedRAMP Accelerated is that it is critical for all parties involved in the authorization to be on the same page about FedRAMP requirements right from the get go. This helps ensure that an authorization can be achieved in a reasonable timeframe , as efficiently as possible for both the CSP and the Agency.
The revised process will help ensure that both the CSP and the Agency are actively working on a FedRAMP authorization and are committed to making the authorization happen in a timely manner.
Obtaining the FedRAMP In Process Designation
To be considered “FedRAMP In Process,” the FedRAMP PMO must be in receipt of an e-mail from an Authorizing Official (AO) or a FedRAMP PMO-approved designee stating that they are actively engaging with the CSP and plan on granting an Authority to Operate (ATO) that meets FedRAMP requirements within 12 months. (Emails from agencies should be sent to: info@FedRAMP.gov.)
The reason an AO must send the initial e-mail is to ensure that agency personnel who will be performing a review of the authorization package and ultimately accepting risk associated with their Agency’s use of the CSO are aware of the effort. Many times a CSO’s main customer or client is a Program Manager who doesn’t have the authority to grant an authorization, so we need verification from an Authorizing Official that work is being performed in support of a security authorization.
In addition to the FedRAMP PMO receiving correspondence from the AO or FedRAMP PMO-approved designee, one of the following must be demonstrated to the FedRAMP PMO:
The agency must provide proof of a contract award for the use of the CSO, and the contract must specify a timeline outlining when a FedRAMP-compliant ATO must be achieved.
The cloud offering is actively in use with an Agency, and the Cloud Service Provider (CSP) can demonstrate Agency usage to the FedRAMP PMO. An e-mail from the Agency AO or FedRAMP PMO approved designee stating the product is being used by the Agency will meet this requirement.
The CSO achieved the “FedRAMP Ready” designation from the FedRAMP PMO.
Involved parties completed a formal kick-off meeting with the FedRAMP PMO and Agency present, with agreement on: <ul>
A project plan from the CSP that outlines project milestones and schedule associated with the delivery of key authorization deliverables to the Agency and anticipated ATO date.
An authorization boundary diagram of all services/capabilities that are included within the security authorization package.
Resources available to support the FedRAMP Authorization from the CSP and Agency; personnel identified as critical to the authorization must to be present at the kick-off meeting.
The completion of an in depth kick-off meeting is one of the most powerful elements to ensure agreement on critical project/deliverable milestones, clear understanding of the FedRAMP process and stage gates, establish appropriate communication channels between all parties and technical overview of the CSO authorization boundary and security features. If CSP or agency selects this option, FedRAMP will partner with both the CSP and the Agency to ensure the CSP is fully prepared for the kick-off and authorization process, the agency can make sure all of their needs are met, and offer to facilitate the meeting. Through this effort, we have seen Agencies and CSPs work productively and efficiently together to yield quicker FedRAMP Agency Authorizations.
Maintaining the FedRAMP In Process Designation
To maintain the “FedRAMP In Process” designation, the FedRAMP PMO will be proactively reaching to out to the CSP and Agency every four months from the day they received the In Process designation. The CSP should communicate projected due dates for FedRAMP deliverables, projected timeline for final authorization, and any project owner/3PAO/Agency personnel changes. Regular communication confirms the CSP’s commitment to maintaining the “FedRAMP In Process” designation, and ensures the content on the FedRAMP Marketplace is accurate and up-to-date for Agency customers.
Removal of a CSO from the FedRAMP Marketplace “In-Process” Designation
In order to maintain integrity of the marketplace, if a determination is made that a CSP is not actively working toward an authorization, the FedRAMP PMO may decide to remove the CSP from the marketplace. Examples of why a CSO could be removed from the marketplace are included in the updated policy.
We’d like to thank everyone in the FedRAMP ecosystem for their flexibility and understanding as we strive to improve the fidelity and power of the In Process designation for CSPs and Agencies, and we look forward to partnering with you all to continue to evolve and improve the FedRAMP program as a whole.
For questions or more information on the “FedRAMP In-Process” designation, please e-mail firstname.lastname@example.org.