What is FedRAMP?
FedRAMP stands for The Federal Risk and Authorization Management Program. FedRAMP is a US government-wide program that provides a standardized methodology for security assessment and continuous monitoring of Cloud Service Offerings (CSO).
FedRAMP is regulated by the Joint Authorization Board (JAB) that includes representatives from:
- the Department of Homeland Security
- the General Services Administration, and
- the Department of Defense
Overview of FedRAMP
FedRAMP was designed to encourage and standardize the adoption of cloud services across the federal government by providing guidelines to evaluate and authorize secure cloud products and services.
The goal of FedRAMP is to ensure the responsible use of cloud technologies and to protect federal information. Additionally, companies with a CSO or Cloud Service Providers (CSPs) have a responsibility to ensure their products meet FedRAMP security standards.
FedRAMP authorization can occur at one of four impact levels depending on the amount of risk associated with the CSO. Each impact level centers around three main components:
The impact levels, based on the National Institute of Standards and Technology (NIST)’s Federal Information Processing Standard (FIPS) and Special Publication 800-37 are:
- High: Typically for systems related to healthcare, law enforcement, financial, or emergency services where “the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.”
- Moderate: For those systems where “the loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.”
- Low: For those systems where “the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.”
- Low-Impact Software-as-a-Service (LI-SaaS): For “systems that are low risk for uses like collaboration tools, project management applications, and tools that help develop open-source code.” This is also referred to as ‘FedRAMP Tailored’.
Ultimately, a Third Party Assessment Organizations (3PAOs) will assess the security of a CSO to ensure they meet FedRAMP requirements. 3PAOs obtain accreditation through the American Association for Laboratory Accreditation (A2LA). Often 3PAO’s are also used by CSPs as consultants during the FedRAMP certification planning process.
What are the requirements of FedRAMP?
Obtaining FedRAMP certification requires adhering to one of the aforementioned levels of security depending on the level of risk associated with the CSO.
CSPs are required to submit a Control Implementation Summary (CIS) workbook and a System Security Plan (SSP).
The CIS workbook should lay out the security controls that the CSP has implemented, as well as, those that their customer (an agency) has implemented to protect data impacted by the use of FedRAMP Authorized Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS), and Platform-as-a-Service (PaaS). The CIS workbook must include a Customer Responsibility Matrix (CRM) which defines the controls and the specific elements of each control. The CRM will also indicate if a control is the CSP’s responsibility or the agency’s responsibility.
The SSP should provide details on how each of the controls is implemented for the CSP and the customer. Beyond that, the SSP should define the features and functions of your systems, including hardware and software and the security measures that limit access, and how users are trained to use the system securely. Finally, it will include how the system is audited and maintained as well as details around incident response and disaster recovery.
Who does FedRAMP apply to?
Cloud Service Providers and federal agencies are required to follow FedRAMP. Both CSPs and agencies are responsible to ensure the security and protection of federal information in cloud technologies.
While it is the CSP that will ultimately need to obtain FedRAMP authorization, monitoring compliance and data protection is a shared responsibility.
FedRAMP Authorization Best Practices
Achieving FedRAMP authorization can be a cumbersome process. To make the process as seamless as possible, there are several best practices recommended by FedRAMP.
- CSP’s should take the time to plan for FedRAMP by breaking down the aspects of their offering and mapping the relevant aspects to FedRAMP requirements. Agencies also need to understand how the CSP impacts their data.
- Obtain stakeholder buy-in and commitment to ensure you have the resources at your disposal to orchestrate a compliance project.
- Appoint the proper team with set roles and responsibilities or utilize a consultant to help facilitate your FedRAMP certification project.
- Allocate the time to scope your FedRAMP authorization including your internal infrastructure, the external services it provides, and the flow of sensitive data. You may also require multiple certifications for multiple products.
- Ensure that compliance doesn’t end with authorization but is an ongoing process of monitoring to ensure compliance is maintained over time.
- As part of your ongoing compliance strategy, routine penetration testing and continuous monitoring should be a priority to ensure compliance over time and to confirm that all security measures are still effective and are achieving their desired objectives.
- Utilize a FedRAMP template to help get started with your compliance strategy.
- FedRAMP is a US government-wide program that provides a standardized methodology for security assessment and continuous monitoring of Cloud Service Offerings (CSO).
- It applies to both Cloud Service Providers and the Federal Agencies that use them.
- FedRAMP requirements center around data confidentiality, integrity, and availability.
- FedRAMP authorization is the responsibility of the CSP, but agencies also have a responsibility to monitor data protection and compliance adherence.
- The level of authorization ranges from low to high based on the level of risk associated with the CSO.