RFC-0022 Leveraging External Frameworks

Summary

This RFC proposes a temporary high speed path to FedRAMP authorization for cloud services with existing security assessments from external security frameworks so that federal agencies and providers can test and pilot these services prior to investing in a full FedRAMP authorization path.

This authorization, part of the FedRAMP 20x path and designated as FedRAMP Validated Level 1, allows providers that meet certain criteria to receive a FedRAMP Validated authorization by meeting only a small portion of 20x Low requirements - without additional independent verification and validation from a FedRAMP recognized independent assessor. This authorization will meet the necessary legal and policy requirements to allow agencies to test or pilot the use of these services based on their own risk determinations.

This process does NOT establish “reciprocity” with any external framework but does allow limited reuse of existing assessment and certification materials for a temporary authorization. Providers will be allowed to maintain the FedRAMP Validated Level 1 status for up to 1 year from the first agency reuse of this FedRAMP authorization. Agency reuse of this authorization should be limited to negligible and low risk systems.

This RFC is aligned with one other concurrent RFC that has additional details on specific topics but has been published separately to encourage topic-specific comments:

• RFC-0022: FedRAMP Authorization Designations
• RFC-0021: Expanding the FedRAMP Marketplace

Background & Authority

This proposed authorization combines multiple authorities and responsibilities into a single opportunity, aligned with priorities from the Office of Management and Budget and the Federal CIO outlined in OMB Memorandum M-24-15.

OMB M-24-15, Section IV: “To identify more cloud service offerings that could become FedRAMP authorized, and to accelerate their eventual path to being authorized, FedRAMP will provide procedures for issuing a time-specific temporary authorization, as discussed in NIST risk management guidelines, that would allow Federal agencies to pilot the use of new cloud services that do not yet have a full FedRAMP authorization.”

NIST SP 800-37 Rev 2, Appendix F: “If the authorizing official, after reviewing the authorization package, determines that the risk to organizational operations, organizational assets, individuals, other organizations, and the Nation is acceptable, an authorization to operate is issued for the information system… The authorizing official may choose to authorize the system to operate only for a short period of time if it is necessary to test a system in the operational environment before all controls are fully in place, (i.e., the authorization to operate is limited to the time needed to complete the testing objectives). [Formerly referred to as an interim authority to test.]”

OMB M-24-15, Section V: “FedRAMP will establish criteria for accepting widely-recognized external security frameworks and certifications applicable to cloud products and services, based on FedRAMP’s assessment of relevant risks and the needs of Federal agencies. This will include leveraging external security control assessments and evaluations in lieu of newly performed assessments, as well as designating certifications that can serve as a full FedRAMP authorization, if appropriate.”

Greg Barbaccia, Federal CIO, at the FedRAMP 20x Phase 2 Launch: “We know that if we want the government to accept and adopt incredible technology, we need to meet you half way. Ideally more. […] We want to accept existing commercial frameworks and documentation, saving you time, saving you money…”

Motivation

All civil servants deserve access to high quality tools for non-sensitive use cases with a minimum investment of agency time and funding. Cloud services often have highly specific use cases for agency users that aren’t enterprise-wide and might even be limited to only a few certain users in large agencies. The current policy environment makes the assessment, authorization, and deployment of smaller services for targeted use cases almost impossible for most agencies because it never makes sense to spend tens of thousands of dollars to review the security of a service that won’t be deployed enterprise-wide.

At the same time, cloud services are often available at low cost for groups of users such that yearly licenses for 500 users might only cost $10/mo each for a total yearly revenue of $60,000. The profit from a deal like that with a single agency would cover a fraction of the salary for a single security engineer or compliance expert… so without large expensive deals guaranteed there is little reason to invest in a FedRAMP authorization. In its current state, law and policy effectively blocks agency access to such services by requiring a FedRAMP authorization by default.

FedRAMP must make it as simple as possible for agencies to quickly obtain and maintain a FedRAMP authorization for cloud services they intend to use for non-sensitive use cases while simultaneously encouraging commercial cloud service providers to enter the federal market and generate revenue to invest in the additional capabilities necessary for initial and ongoing authorization of higher impact use cases.

To meet this need, FedRAMP will leverage statutory and policy authority to create a special time-limited FedRAMP authorization status for cloud services that meet widespread commercial security requirements called FedRAMP Validated Level 1.

FedRAMP Validated Level 1 will be a special designation during the Preparation phase for a cloud service provider, consistent with the Preparation phase of the NIST Risk Management Framework, to indicate that the provider is carrying out the essential activities necessary to prepare the organization to manage its security and privacy risks following the FedRAMP 20x process. This special designation highlights that the cloud service offering may already meet many of the underlying expectations for managing security but has yet to fully implement the government-specific requirements and recommendations necessary for a FedRAMP 20x Validation.

Proposed Requirements for FedRAMP Validated Level 1

All relevant proposed requirements and recommendations for the FedRAMP Marketplace process discussed in RFC-0021 also apply, including the requirements and recommendations for cloud service offerings in the Preparation status.

The following requirements and recommendations apply to ALL cloud services seeking to obtain and maintain FedRAMP Validated Level 1; unless otherwise stated in a specific requirement, the default corrective actions for cloud service providers that fail to address these requirements will be as follows:

Corrective Actions: Requirements will be enforced under a 3 strike rule over the lifetime of a cloud service offering’s continuous Marketplace listing:

1. The first failure will result in public notification and a 3 month grace period to address the requirement.
2. The second failure will result in public notification and a revocation of FedRAMP Validated for a period of at least 3 months.
3. The third failure will result in public notification and suspension from the FedRAMP Marketplace entirely for a period of at least 12 months.

MKT-LEF-PRE Preparation State Listing Required

Providers MUST have their cloud service offering listed in the FedRAMP Marketplace in the Preparation state for FedRAMP 20x.

Note: FedRAMP will only list products that are within the Scope of FedRAMP, please review the requirements for the Preparation state MKT-LEF-PRE in RFC-0020 to understand the circumstances here.

MKT-LEF-ASF Approved Security Frameworks

Providers MUST have completed an external security assessment from the following list that is appropriately current and included an independent assessment from an appropriately accredited independent auditor as required by the framework:

1. SOC 2 Type II
2. ISO/IEC 27001
3. HITRUST e1, i1, r2
4. StateRAMP (dba GovRAMP) Provisionally Authorized, Authorized
5. CMMC Level 2
6. FedRAMP Ready

Notes:

• This list is not an endorsement of any security framework but is intended to capture common frameworks with wide commercial adoption or direct relevance that are likely to contain audited materials to meet the Validated Level 1 requirements.
• Additional external security frameworks may be added to this list based on demand.

MKT-LEF-MAP Mapping to Key Security Indicators

Providers MUST include a temporary mapping from their existing commercial security assessment to a subset of FedRAMP Key Security Indicators in simple, short, narrative text with direct links to the source material; this mapping must be available in both machine-readable and human-readable formats and include at least the following indicators:

1. KSI-AFR-01 Minimum Assessment Scope
2. KSI-AFR-03 Authorization Data Sharing
3. KSI-AFR-06 Collaborative Continuous Monitoring
4. KSI-AFR-08 FedRAMP Security Inbox
5. KSI-CMT-01 Log and Monitor Changes
6. KSI-CMT-04 Change Management Procedures
7. KSI-CNA-02 Attack Surface
8. KSI-IAM-01 Phishing-Resistant MFA
9. KSI-IAM-03 Non-User Accounts
10. KSI-INR-01 Incident Response Procedures
11. KSI-MLA-01 Security Information and Event Management
12. KSI-SVC-02 Network Encryption
13. KSI-SVC-10 Unwanted Data Removal

Notes:

• If a mapping is not clear then the indicator should be addressed with new information that indicates it has not been independently audited.
• FedRAMP is renaming some Key Security Indicators, this RFC may be updated with the same Key Security Indicators but different names.

MKT-LEF-AFM Availability of Full Materials

Providers MUST make the full materials from the leveraged existing commercial security assessment available to all necessary parties as part of the FedRAMP Validated Level 1 authorization package.

MKT-LEF-IVV Independent Verification and Validation

Providers MAY have their FedRAMP Validated Level 1 authorization package independently verified and validated by a FedRAMP recognized independent assessor prior to submission to FedRAMP; this is NOT required.

MKT-LEF-FPS Formal Procedures for Submission

Providers MUST precisely follow formal FedRAMP procedures to submit a complete authorization package for FedRAMP Validated Level 1.

Note: This formal procedure will be published separately when this proposal has been approved and formalized after public comment but will likely consist of a simple form with attestation that requirements have been completed.

Corrective Actions: Failure to submit a sufficient or complete report will result in a 3 month penalty for resubmission.

MKT-LEF-DFV Deadline for FedRAMP Validation

Providers MUST obtain a FedRAMP 20x Validation within 12 months of their FedRAMP Validated Level 1 cloud service offering receiving an agency Authorization to Operate.

Note: This applies to any positive Authorization to Operate decision even if the agency is using outdated or internal terminology such as “Interim Authority to Test.”

MKT-LEF-ATO Authorization to Operate Notification

Agencies MUST notify FedRAMP after approving the Authorization to Operate a cloud service based on reusing a FedRAMP Validated Level 1 package by emailing info@fedramp.gov to coordinate FedRAMP access to at least the following information from the agency:

1. The signed ATO letter.
2. Contact information for the System Owner, Information System Security Officer, and Authorizing Official.
3. All agency-specific materials generated for the Authorization to Operate, including at least the System Security Plan and Security Assessment Report.
4. Approval or denial for FedRAMP to share these materials with other agencies, signed by the Authorizing Official or a delegate.

Notes:

• This is a statutory obligation for agencies in the form of supplementary information required pursuant to 44 USC § 3609 (a).
• 44 USC § 3613 (c) states: “Upon issuance of an agency authorization to operate based on a FedRAMP authorization, the head of the agency shall provide a copy of its authorization to operate letter and any supplementary information required pursuant to section 3609(a) to the Administrator.”
• This applies to any positive Authorization to Operate decision even if the agency is using outdated or internal terminology such as “Interim Authority to Test.”

MKT-LEF-NLR Negligible or Low Risk Use Cases

Agencies SHOULD limit the reuse of a FedRAMP Validated Level 1 package to pilot/test uses cases or those with negligible or extremely low risk when performing an Authorization to Operate with conditions for their use of this cloud service.

MKT-LEF-RFM Review Full Materials

Agencies SHOULD review the full materials, including the external security assessment, when making an authorization decision to reuse the FedRAMP Validated Level 1 package in an agency Authorization to Operate.

MKT-LEF-LIO Low Impact Only

Agencies SHOULD NOT reuse a FedRAMP Validated Level 1 authorization to perform an agency Authorization to Operate at higher than the Low impact level UNLESS deploying significant compensating controls.

MKT-LEF-ROQ Require Ongoing FedRAMP Qualification

Agencies SHOULD include a requirement in their Authorization to Operate that the cloud service offering maintain a FedRAMP Validated status with automatic revocation of the Authorization to Operate in the event that the FedRAMP Validated status is revoked.

Related Updates to the Minimum Assessment Scope

To avoid confusion related to this FedRAMP Validation level (which is intended only for agency use), FedRAMP will update the Minimum Assessment Scope under FRR-MAS-03 for both 20x and Rev5 as follows:

FRR-MAS-03 Non-FedRAMP Authorized Third-Party Information Resources

Providers MUST clearly identify and document the justification, mitigation measures, compensating controls, and potential impact to federal customer data from the configuration and usage of third-party information resources that are not FedRAMP Validated Level 2+ or FedRAMP Certified Level 1+, ONLY IF FRR-MAS-01 APPLIES.

Note: The purpose of FedRAMP Validated Level 1 is to encourage agency-based testing and piloting of these services following a detailed use-case specific review, therefore anyone other than an agency authorizing official should treat a FedRAMP Validated Level 1 service as if it does NOT have a FedRAMP authorization.