The Federal Risk and Authorization Management Program (FedRAMP) provides a framework to deliver secure cloud services to federal government agencies. The program covers security assessment, authorization, and continuous monitoring of cloud products and services.
Any cloud service provider (CSP) that sells commercial cloud service offerings (CSO) to a federal agency must comply with FedRAMP. This article looks at some of the details around what the FedRAMP requirements entail.
For an introduction to FedRAMP, check out “A FedRAMP Primer.”
A high-level view of FedRAMP compliance requirements
Any CSP that needs to deliver a commercial cloud service offering (CSO) to a federal agency must demonstrate FedRAMP compliance. Achieving FedRAMP compliance involves adherence to several security requirements. These requirements are part of the NIST 800-53 framework as augmented through the FedRAMP Program Management Office (PMO). Once these requirements are met, the CSP will show FedRAMP authorization/FedRAMP Authority to Operate (ATO).
Adherence to FedRAMP requirements is demonstrated via a process that involves key areas:
The CSP must complete FedRAMP documentation, including the FedRAMP System Security Plan (SSP). This important document is part of a wider security package used by a CSP to describe its security controls.
FIPS 199 is a standard that describes security categories of confidentiality, integrity, and availability as applied to the Federal Government. Controls should be implemented in line with these categories.
A Third Party Assessment Organization (3PAO) is required to assess the CSO’s compliance status: A 3PAO is a specialist with authority to check a CSO for FedRAMP compliance.
The results from the 3PAO assessment may require some remediation activities.
Plan and develop
The FedRAMP Plan of Action and Milestones (POA&M) document is an important document in the process of FedRAMP compliance. It includes key security findings and continuous monitoring activities. A template of a POA&M is available from FedRAMP.
Authorization is needed from an Agency ATO or Joint Authorization Board (JAB) Provisional ATO (P-ATO). More on this below.
A vital part of FedRAMP compliance is an action plan on Continuous Monitoring (ConMon). This should include monthly vulnerability scans
Further details and resolution of common issues can be found in “Tips and Cues” from FedRAMP.
FedRAMP compliance and levels of impact
FedRAMP compliance requires that security controls are applied at the right level per category. These individual security controls cover three main impact levels: High baseline, moderate baseline, and low baseline levels. FedRAMP categorizes CSPs into one of three impact levels, each having varying security control requirements.
Where the loss of confidentiality, integrity, and availability would result in “limited adverse effects on an agency’s operations, assets, or individuals.” Low impact security usually applies to applications with limited or no storage of personally identifiable information (PII).
According to FedRAMP, around 80% of CSP applications fit into this impact level. Moderate impact fits where the “loss of confidentiality, integrity, and availability would result in serious adverse effects on an agency’s operations, assets, or individuals.”
High impact level usually applies to applications used within Law Enforcement and Emergency Services systems, Financial systems, Health systems, and any other system where “loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.”
FedRAMP controls cover the following areas:
- Access Control
- Awareness and Training
- Audit and Accountability
- Security Assessment and Authorization
- Configuration Management
- Contingency Planning
- Identification and Authentication
- Incident Response
- Media Protection
- Physical and Environmental Protection
- System Security Planning
- Personnel Security
- Risk Assessment
- System and Services Acquisition
- System and Communications Protection
- System and Information Integrity
Each impact level has its own set of controls. A full list of requirements can be found in the spreadsheet “FedRAMP Security Controls Baseline.”
Agency vs. Joint Authorization Board
There are two pathways to meeting FedRAMP compliance. Either by obtaining a FedRAMP ATO directly from a federal agency or to receive a FedRAMP P-ATO from the Joint Authorization Board (JAB). However, the two are not equivalent, a P-ATO being viewed as a first stope towards a full ATO.
Agency FedRAMP ATO
This pathway takes a CSP through an arduous process and is agency-specific. The FedRAMP documentation suggests that a process involving four steps is followed to help achieve authorization.
- Partner Establishment: formalizes a partnership with an Agency using the FedRAMP marketplace.
- Full Security Assessment: 3PAO tests the CSP’s system and provides a Security Assessment Report (SAR) with its findings.
- Authorization Processes: The agency reviews the 3PAO assessment and either approves them or requests additional testing.
- Continuous Monitoring: CSP must provide monthly continuous monitoring deliverables to the Agencies that are using their service.
Joint Authorization Board (JAB) Provisional ATO (P-ATO)
A CSP with a P-ATO has been given initial approval from the JAB to work with an agency. However, reaching the requirements for a P-ATO involves an in-depth, three-phase process, and assessment of risk by the Department of Defense (DoD), the Department of Homeland Security (DHS), and the General Services Administration (GSA).
Phase 1: Readiness Assessment and FedRAMP Connect: CSPs must submit a business case to assess their business. FedRAMP only prioritizes 12 CSPs to work with the JAB each year.
Phase 2: Full Security Assessment: Once a CSP is deemed “FedRAMP Ready,” a System Security Plan (SSP) is created by the CSP and accredited by a 3PAO. From here, a 3PAO develops a Security Assessment Plan (SAP), performs a security assessment of the CSO, and produces a Security Assessment Report (SAR). The CSP then develops a Plan of Actions and Milestones (POA&M) to track and manage system security risks identified in the SAR.
Phase 3: Authorization Process: Finally, a kick-off meeting with the JAB, FedRAMP PMO, the 3PAO, and the CSP’s authorization team is held. If further remediation and/or additional documentation are needed, this task must be completed before a CSP receives a P-ATO decision and formal authorization
Automating FedRAMP: “do once, use many times.”
In addition to robust cloud security, FedRAMPs aims to save time, money, and staffing needs. However, the process to achieve FedRAMP compliance is complex. Once FedRAMP compliance is achieved, the underlying requirements met are persistent and can be reused many times. By using a SaaS model to achieve FedRAMP compliance, such as FedRAMP-as-a-Service, an organization can simplify and automate FedRAMP compliance and ensure that adherence to requirements is continued with reduced overhead.