Cloud service providers (CSPs) working with Federal agencies must undertake the process of FedRAMP certification. To better facilitate that process, the government and FedRAMP governing bodies have developed several tools and programs to help them accomplish this. One of these, introduced in the last 5 years, is the FedRAMP Accelerated program and the FedRAMP Ready designation.
Learn more about the FedRAMP ready path, how it can help your organization achieve full ATO, and the important role that 3PAOs play in the process.
What is a “FedRAMP Ready” Designation and What Does it Mean for CSPs?
FedRAMP certification is a long and arduous process in terms of financial costs and work hours. Undergoing a FedRAMP audit does not necessarily guarantee any organization an Authorized to Operate (ATO) designation, which could mean a lot of wasted resources for that organization and a 3PAO.
To ease some of this burden and to accelerate the process of FedRAMP certification (more on that later), the U.S. General Services Administration created a new program that included a designation of “FedRAMP Ready”. This designation is probably what you think it is, but carries some specifics:
- A CSP can receive a FedRAMP Ready designation by demonstrating their capability to complete the FedRAMP certification process, in conjunction with their 3PAO.
- The 3PAO compiles a Readiness Assessment Report (RAR) to provide to FedRAMP governing bodies for review.
- Once readiness has been assessed by the 3PAO, the FedRAMP Program Management Office (PMO) determines if the CSP can work through the FedRAMP process. These organizations receive FedRAMP Ready designation.
- The Joint Authorization Board reviews vendors designated as FedRAMP Ready and prioritize authorizations for these organizations accordingly.
The major benefits of this designation are twofold. First, it eases the path towards full ATO by providing a framework for an organization’s preparedness for the process. Second, it allows that organization to be listed on the FedRAMP Marketplace to increase their visibility with Federal agencies looking for a CSP partner.
Overall, undergoing an assessment for FedRAMP readiness is much less than pursuing full certification. The Readiness Assessment Report, however, is no walk in the park and includes its own level of work to demonstrate FedRAMP readiness.
How Do 3PAOs Help CSPs Get FedRAMP Ready?
3PAOs are critical partners in the FedRAMP certification process. They work with CSPs to not only audit their preparedness and capabilities but continue to work with them after certification so that CSPs remain compliant in their monitoring and reporting requirements. Likewise, these same 3PAOs are critical partners for FedRAMP Readiness.
The long and short of the entire relationship between a CSP and a 3PAO is that only a 3PAO assesses cloud service providers and creates that RAR that determines their readiness. This report is the key component used by FedRAMP governing bodies to award FedRAMP readiness status.
It is the 3PAO’s responsibility to perform specific assessments of the CSP, including:
- Reporting on the CSPs compliance within relevant Impact Baseline controls
- Providing a methodology and structure for such an audit to induce with the report
- Prepare for the subsequent full audit after Readiness has been completed
In their guidelines for 3PAOs providing readiness assessments, FedRAMP acknowledges that not every CSP will complete their assessment. It is therefore the responsibility of the 3PAO to not only assess the organization but to provide a compelling case that the 3PAO can complete the full authorization process. The 3PAO is a key consultant for any CSP looking for FedRAMP Ready designation and can work with that CSP over several intervals to prepare them for their readiness assessment.
As part of their assessment, FedRAMP offers several suggestions and recommendations for 3PAOs and how they engage CSPs for FedRAMP Ready:
- 3PAOs will be required to conduct in-person interviews and consultation with their CSP clients as part of the RAR assessment.
- 3PAOs will perform scans of security boundary and border devices like computers, mobile devices and network devices.
- RAR assessment must include a demonstration by the CSP, articulated by the 3PAO, on how quickly the provider can remediate security issues based on their risk (High, Medium, or Low).
- While FedRAMP requires a penetration test for certification, FedRAMP Ready designation does not. The 3PAO, however, must include a rationale for not completing such a test (such as demonstrating their ability to segregate data from user space and problematic vulnerabilities).
What is FedRAMP Accelerated?
FedRAMP Ready is the product of a more comprehensive program called FedRAMP Accelerated.
In late 2016, the FedRAMP governing body hosted a gathering of over 400 CSPs and 3PAOs, along with federal agencies, to unveil FedRAMP Accelerated, a program intended to speed the authorization process with JAB without sacrificing the rigor of the program.
The goal of this program is to help prepare CSPs for the FedRAMP process, a goal that led to the FedRAMP Ready designation that replaced the previous CSP Supplied path.
Prior to the FedRAMP Accelerated program, a CSP had three paths to authorization:
- Agency sponsorship, which involves direct sponsorship by a Federal agency and direct involvement by the PMO to determine awarding an ATO.
- The JAB path involves JAB and PMO in the review process to provide a Provisional ATO (P-ATO) which can then be reviewed by a Federal agency for full ATO.
- The CSP-supplied path where the CSP gave an assessment package to the FedRAMP PMO for review, followed by Federal agency review for ATO.
The Accelerated program replaces the third path with the FedRAMP Ready designation and involves 3PAOs in the process. It also doesn’t require a Ready designation for CSPs working towards an ATO through agency sponsorship.
What are the Differences Between FedRAMP Ready and Authorized to Operate Designations?
FedRAMP Ready does not mean that a CSP is ready to actually serve as a cloud provider for Federal agencies. With that in mind, CSPs need to understand what the difference is between a FedRAMP Ready designation and their FedRAMP ATO:
- FedRAMP Ready signifies that the CSP is prepared for the FedRAMP authorization process. They have completed preliminary audits regarding their security and compliance capabilities, but they have not completed all of their required audits. Outside of preparedness, the FedRAMP Ready designation can help organizations move towards ATO by allowing them listings on the FedRAMP Marketplace, where they can potentially find a partner agency in the federal government.
- Authorization to Operate is the goal of FedRAMP certification overall. ATO requires that an organization complete the stringent and rigorous requirements of FedRAMP compliance before they can provide cloud services for a Federal agency.
In either case, a 3PAO is a full requirement for CSPs to earn either Ready designation or their ATO.
FedRAMP certification is a tough process, but the government works hard to make the process as straightforward as possible. They don’t gain anything from making the logistics difficult for companies that otherwise could meet requirements, and organizations that want to help serve the public shouldn’t have to jump through unnecessary hoops.
CSPs moving towards FedRAMP certification for the first time should consider FedRAMP Ready with their 3PAO. This step can help them open doors with federal agencies while simply uncovering their strengths and weaknesses in terms of security and compliance.
Discover how Lazarus Alliance, a FedRAMP-certified 3PAO, can help you pursue your FedRAMP Ready designation or ATO certification. Call us at 1-888-896-7580 or through the form below.