What Do Managed Service Providers Need to Know About FedRAMP Certification and Compliance?

FedRamp compliance Government Featured

Managed Service Providers can support clients in nearly any industry with the right security and certifications. Typically, MSPs will find that maintaining compliance for some industries will require more overhead than others. These industries will include those like healthcare and government. 

One form of compliance that any company offering cloud products in the government space needs to understand is the Federal Risk and Authorization and Management Program (FedRAMP). This program calls for security measures that companies, including managed service providers in, or working with clients in, the federal government space, should understand. 

FedRAMP for government cloud service

What is FedRAMP Compliance?

FedRAMP was built to help government agencies leverage cloud technologies safely and securely through private cloud vendors. As these governmental agencies almost always manage Private Identifying Information (PII) or sensitive data protected by security clearance, maintaining strict security controls is essential. 

The official FedRamp website outlines three major partners forming the core of FedRAMP regulations:


  1. Federal agencies looking to use cloud technologies as part of their operations. 
  2. Cloud service providers that want to serve these agencies with their platforms.
  3. Third-party assessors that help cloud providers and federal agencies remain compliant. 


If you are a managed service provider, it’s most likely that you are working directly with federal agencies or managing cloud services for customers using cloud services to service federal agencies. 

In either case, it’s going to be up to you to ensure that your infrastructure can support FedRAMP compliance. It could be a great benefit to your clients if you could also help them get FedRAMP certified, or to perform regular FedRAMP audits. 


FedRAMP Compliance and Managed Service Providers

There are several high-level requirements for FedRAMP compliance:

  1. Complete the proper FedRAMP documentation, including the FedRAMP System Security Plan
  2. Reorganizing control systems to comply with FIPS publication 199.
  3. Having you (or your client) assessed by an authorized FedRAMP Third-Party Assessment Organization (3PAO).
  4. Developing an official plan of action with milestones.
  5. Obtain Agency or Joint Authorization Board (JAB) Provisional Authorization to Operate (ATO). 


There are obviously several steps in between these requirements, but these steps outline the basic backbone for FedRAMP compliance. In between all of these basic requirements are several layers of meetings, data gathering requirements, and reporting that lead from one step to the next. 

What is important here is the role of the third-party assessor. As part of FedRAMP requirements, cloud service providers must undergo an assessment by a 3PAO. 

What is a 3PAO? These organizations are accredited FedRAMP assessors that perform the initial and regular assessments that determine that cloud providers meet FedRAMP compliance. 

These third-parties are not just outside businesses, however. 3PAOs are critical partners that work with companies to determine their readiness for FedRAMP auditing and compliance. These partners will help providers build a Readiness Assessment Report (RAR) that determines their security capabilities and, if actually ready, signs off on that provider’s progression through the compliance process.

Needless to say, proving readiness requires significant information, including your cloud security capabilities, validation of what has been implemented (versus what is simply claimed), and an understanding of how FedRAMP compliance works within the CSPs existing infrastructure. 


What are the Phases of FedRAMP Certification for Cloud Providers?

While there are specific requirements for certification, the path to get there depends on your organization. Broadly, the government divides FedRAMP authorization into 3 phases:

  1. Pre-Authorization: This is where you would work with the 3PAO to devise your plan for authorization, including completion of a RAR. At this juncture, it is critical for you to be as honest and forthright about your organization and technology as possible. There are no shortcuts here, and if the 3PAO doesn’t see your infrastructure as capable of meeting requirements, nothing is going to push you through the process.
  2. Authorization: In this phase, you would work with your 3PAO to actually test and assess your existing security controls. You’ll complete a Security Assessment Plan, which functions as a roadmap of the assessment and includes a breakdown of the methodologies the 3PAO will use to test your system.During this phase, you can expect specific tests to occur. These tests will include a “rules of engagement” that outlines how the 3PAO will test your system, under what conditions, and for what vulnerabilities. This phase includes extensive penetration tests and other test cases based on low, medium, and high-security requirements.Note that your organization will not get to this testing phase if the 3PAO doesn’t determine that your infrastructure is ready for FedRAMP requirements in the Pre-Authorization Phase.After the completion of testing, you and your 3PAO will compile your Security Assessment Plan and Security Assessment Report as part of your FedRAMP application package.
  3. Post Authorization: In this phase, your system is considered secure for government agencies. You will have to undergo regular assessments and monitoring, however, to prove continued compliance. This means that reporting and data collection will be crucial to maintaining certification. 


    Assessments following authorization are monthly and can include monitoring by 3PAOs or through internal teams. Any changes to your system that might deviate from FedRAMP regulations must be validated through the 3PAO and governing agencies. 


    Why is FedRAMP Compliance Important for Managed Service Providers, and Why Should They Consider Third-Party Assessors?

    Federal government service is a growing industry, particularly when it comes to modern cloud tools. Government agencies are looking to cloud providers to help them run their operations more efficiently, which obviously has great benefits for employees of those agencies and citizens of the U.S. more broadly. 

    As these agencies are dealing with PII regularly, security is of the utmost concern. Maintaining this security, however, is a huge challenge for vendors with multiple partnerships across multiple platforms. 

    As a managed service provider, you may offer packages of cloud services directly to government agencies. YOu may also offer cloud services to clients that work with federal clients. In either case, you’ll have to maintain FedRAMP compliance across your technology no matter who is using it. While that might seem like a big lift in terms of security and logistics, it also opens significant opportunities to serve clients in diverse markets. 

    At the core of FedRAMP compliance is the 3PAO. That doesn’t mean that you or your clients can leave it to them to manage their compliance needs, however. Accordingly, maintaining FedRAMP compliance internally could take a full-time IT team on its own. 

    By working with a third-party assessor to help with FedRAMP compliance, you can ensure that your system maintains the right standards while simplifying reporting and auditing. Unless you are a dedicated security provider yourself, it’s often a better solution to work with a dedicated security vendor certified in FedRAMP compliance. 


    If you’re a managed service provider serving clients in the federal government space, then you can call upon our expertise to help you through your FedRAMP authorization and compliance journey. Call 1-888-896-7580 to discuss your compliance needs and how we can support you and your clients. 

    Lazarus Alliance