Federal agencies are quickly adopting new and more advanced IT and security technologies to facilitate their work. This fact, in turn, means that they are turning to vendors that probably use the cloud in some way to provide those services. SaaS applications, cloud storage, and the demand for analytics and insight are making cloud real estate a hot commodity for these agencies. That’s why the federal government, coordinating through federal technical guidelines and laws, requires Cloud Service Providers to adhere to the Federal Risk and Authorization Management Program, or FedRAMP before providing services to partner agencies.
The FedRAMP authorization process is rigorous and involved and can seem almost insurmountable for CSPs or other providers without any experience in the areas of cybersecurity or government contracting. This guide seeks to support business decision makers by demystifying some of the broader concepts of FedRAMP compliance to help them make informed decisions about their security positioning and potential compliance needs.
Table of Contents
- What is FedRAMP?
- What is FedRAMP Authorization to Operate (ATO) and Provisional Authorization to Operate (P-ATO)?
- What are the Project Management Office (PMO) and Joint Authorization Board (JAB)?
- What is a Third-Party Assessment Organization (3PAO)?
- What is the FedRAMP Authorization Process?
- What are the FedRAMP Security Controls?
- What are FedRAMP Impact Levels?
- What are NIST and Special Publication 800-53?
- What is FISMA?
- Contact Us
What is FedRAMP?
FedRAMP is a compliance standard specifically for CSPs working with federal agencies. This framework outlines several levels of security controls covering areas like encryption and security, access and authorization, physical safeguards, and other necessities to secure sensitive or confidential government information. Any cloud vendor (and this includes vendors of cloud-based SaaS, IaaS, or PaaS solutions) must demonstrate FedRAMP compliance before they can work with a federal agency.
Since the FedRAMP certification process is so demanding, a FedRAMP ATO is beneficial even for cloud service providers that do not currently work with the federal government. Private-sector companies are aware of how difficult it is to comply with FedRAMP and recognize it as a gold standard of cloud security.
However, this is not to say the FISMA compliance process is “easy.” Organizations need to map the specific NIST 800-53 controls to the FISMA requirements of each agency they wish to do business with. There are hundreds of different controls and figuring out which ones apply in each situation can be quite complex.
What is FedRAMP Authorization to Operate (ATO) and Provisional Authorization to Operate (P-ATO)?
When a CSP completes the FedRAMP certification process, they are given the designation of “Authorized to Operate” or ATO, by the agency that they will partner with. At this point in the process, the CSP has been given the OK by the agency to provide services to that agency, so long as they maintain compliance per Continuous Monitoring requirements.
A Provisional ATO, or P-ATO, is given by the Joint Authorization Board (JAB), a governing body of representatives from several federal and defense agencies. This designation demonstrates that the CSP meets the most stringent (but general) requirements of FedRAMP certification. This means that while they are nominally ready to work with federal agencies, it is up to individual agencies to further vet the CSP based on their needs.
Most CSPs will pursue an ATO with a specific agency.
What are the Project Management Office (PMO) and Joint Authorization Board (JAB)?
The Project Management Office, or PMO, is a governing body of FedRAMP in charge of standardizing the regulations, requirements, and processes involved in compliance. Essentially, this board drives the program and its evolution to ensure that it reflects the highest standards of security required from CSPs.
The JAB is the primary governing body of FedRAMP that includes CIOs from organizations like the Department of Homeland Security, the Department of Defense, and the General Services Administration. CSPs can get direct authorization for a P-ATO only through JAB.
What is a Third-Party Assessment Organization (3PAO)?
As part of the authorization process, all CSPs are required to work with a third-party assessment organization or 3PAO. These entities are certified in FedRAMP compliance and usually serve as expert security consultants or systems engineers for clients in a variety of industries.
Much of what a 3PAO does is outlined in FedRAMP rules: a CSP must have testing, reporting, and assessments performed by a 3PAO as part of their security package. Additionally, the 3PAO will continue to work with the CSP after authorization during continuous monitoring.
Alongside this official work, 3PAOs are also expert consultants for CSPs, helping them not only with compliance but with additional security goals and challenges.
What is the FedRAMP Authorization Process?
There are two similar paths for CSPs to achieve ATO or P-ATO status:
- Agency: The CSP partners with a federal agency and a 3PAO to undergo the certification process based on the qualified needs of the agency, resulting in ATO status upon completion.
- JAB: The CSP works directly with JAB and a 3PAO for a broader certification that attests to certification but calls for individual agencies to utilize any additional requirements as necessary. This results in a P-ATO upon completion.
FedRAMP authorization is broken down into a series of stages, each with its designation:
- In the initial stages, an agency establishes a partnership with a CSP, either through the FedRAMP Marketplace or independently via RFP. The agency and the CSP devise a plan for authorization based on the needs of the agency and the capabilities of the CSP, including the CSPs ability to complete the authorization process. At this point, the CSP would work with a certified 3PAO to help them plan their authorization. They can also develop a readiness designation, called “FedRAMP Ready”, by which the 3PAO attests that the CSP is prepared for the process. a P-ATO through JAB requires the Ready designation, and it is recommended even for CSPs working through the agency route.
- The CSP and the 3PAO compile a series of documents, including a System Security Plan (SSP) that outlines all the controls the CSP must implement to meet compliance requirements, and a Security Assessment Plan (SAP) where the 3PAO outlines the tests they intend to run to demonstrate the CSPs compliance. At this juncture, the CSP is designated as “FedRAMP In-Process”
- The 3PAO will run all tests outlined in the SAP, including penetration testing and vulnerability scanning. From this, they will generate a Security Assessment Report (SAR) that the agency reviews to determine suitability or, if necessary, any remediation requirements. If problems arise and remediation is required, the CSP creates a Remediation Action Plan outlining how they will address those issues.
- Once the CSP is found to meet FedRAMP requirements, the 3PAO submits a complete Security Authorization Package, which includes the SSP, the SAP, the SAR, and the Plan of Action and Milestones (POA&M) which includes any additional remediation efforts and plans for Continuous Monitoring. Upon acceptance of these reports, the CSP is designated ATO or P-ATO, depending on their path.
- The CSP entered “Continuous Monitoring”, where they report on any changes to their system, required upgrades or remediation efforts, or other compliance issues on a rolling schedule.
What are the FedRAMP Security Controls?
FedRAMP derives a set of security control families outlined in NIST SP 800-53. These security control families include:
- Access Control
- Awareness and Training
- Audit and Accountability
- Assessment, Authorization, and Monitoring
- Contingency Planning
- Configuration Management
- Identification and Authentication
- Incident Response
- Personnel Security
- Media Protection
- Physical and Environmental Protection
- Risk Assessment
- System and Services Acquisition
- System and Information Integrity
- Program Management
- Personally Identifiable Information Processing and Transparency
- System and Communications Protection
- Supply Chain Risk Management
What are FedRAMP Impact Levels?
Every CSP is required to adhere to a specific level of security based on the agency they work with and the kinds of data managed. For compliance purposes, FedRAMP leverages FIPS 199 to outline required security controls for CSPs based on the sensitivity and importance of that data.
FedRAMP breaks down security requirements into three “Impact levels”:
- Data designated as Low Impact is publicly available information. This data is still considered important, however, but its loss, theft, or damage will have little direct impact on the operation of the agency in question or U.S. citizens more broadly. Low Impact Baseline includes 125 required security controls.
- Data designated as Moderate Impact isn’t public, and its loss, theft, or damage could have a significant impact on the operation of a federal agency as well as impacting the financial or physical security of constituents. This level contains 325 required security controls.
- Data designated as High Impact is not public, and its loss or theft could critically damage the ability of a federal agency to continue operations. Additionally, loss or theft most likely will endanger the physical or financial well-being of private citizens, up to including serious bodily harm or loss of life. This contains the most required security controls at 421.
What are NIST and Special Publication 800-53?
The National Institute of Standards and Technology (NIST) is a non-regulatory agency that is part of the United States Department of Commerce. Its mission is “To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.”
Among many other responsibilities, NIST creates and promotes information security standards for the federal government. These standards are outlined in NIST’s SP-800 series of publications, including NIST SP 800-53 (also known as NIST 800-53), which outlines security controls for federal information systems and organizations and documents security controls for all federal information systems, except those designed for national security. Federal agencies must comply with NIST guidelines and standards within one year of their publication.
What is FISMA?
FISMA was first enacted in 2002 as the Federal Information Security Management Act, then updated in 2014 to the Federal Information Security Modernization Act. FISMA applies to:
- All federal government agencies
- State agencies that administer federal programs, such as Medicare/Medicaid and student loans
- All private-sector firms that support federal programs, sell services to the federal government or receive federal grant money
In a nutshell, FISMA requires the implementation of information security controls that utilize a risk-based approach. The primary framework for FISMA compliance is NIST 800-53. Organizations that demonstrate FISMA compliance are awarded an Authority to Operate (ATO) from the federal agency they are doing business with. This ATO applies only to that particular agency; if an organization has contracts with multiple federal agencies, they must obtain an ATO from each one. The logic behind this is that because every federal agency has different data security needs and vulnerabilities, different controls may apply. A FISMA assessment may be performed directly by the agency granting the ATO or a third-party security assessor.
Even if your organization does not currently operate in the public sector, it is important to understand the fundamentals of FISMA, FedRAMP, and NIST. The U.S. government is the single largest buyer of goods and services in the world, and your company may ultimately want to tap this lucrative market. Second, any information security standards that the federal government implements will ultimately trickle down into state and local laws, as well as industry frameworks.
If you are a SMB or enterprise ramping up for FedRAMP or CMMC compliance, contact Lazarus Alliance at 1-888-896-7580 or through the form below to learn how we can help you navigate the process.