FedRAMP refers to the Federal Risk and Authorization Management Program, a US government-created program to smooth the connection between its federal agencies and cloud service providers.

The General Services Administration (GSA) established FedRAMP Program Management Office (FedRAMP PMO) to help achieve the following goals:

  • Help cloud service providers offer their services to the federal government.
  • Connect cloud service providers with third-party assessment organizations (3PAOs).
  • Allow government agencies to make more use of secure cloud solutions.
  • Improve how governments secure and authorize cloud computing technologies, including the use of Federal Information Processing Standard (FIPS) encryption.
  • Develop partnerships with FedRAMP stakeholders.

This post will examine the benefits of using FedRAMP and will provide an overview of the system and its requirements for cloud service offerings (CSOs).

FedRAMP Benefits

The government introduced FedRAMP as an interface between federal agencies and increasingly used cloud products that must be secured to a sufficient standard. FedRAMP helps federal agencies and cloud service offerings (CSOs) connect while also providing standardization.

Through FedRAMP, federal agencies can reuse authentication. Once authenticated, a cloud service can be used by multiple agencies, which is more efficient and streamlines processes for all federal agencies.

Federal agencies can also benefit from the following when using FedRAMP:

  • Reduce inconsistencies
  • Increase efficiency, especially by avoiding duplication of effort
  • Facilitate innovation and the development of more secure information technologies
  • Ensure the use of a clear, standardized, common security framework that promotes the use of secure cloud services
  • Offer a standardized system for risk assessment in connection with cloud products

The FedRAMP Authorization Process

Through FedRAMP, the federal government aims to promote more widespread and efficient use of modern cloud technologies. However, this cannot be achieved without the requisite levels of security and assurances that CSOs have met and continue to meet those standards.

So, FedRAMP’s emphasis is on security and information protection. It uses a risk-based system to assess and approve potential partners to the federal government.

Cloud services must meet standard security requirements in accordance with the following:

There are two main paths to authorization — the Joint Authorization Board (JAB) and the individual agency Process. Although CSOs can engage with an individual federal agency at any time, seeking authorization from the Joint Authorization Board (JAB) prioritizes authorization through the FedRAMP system.

Once authorized, FedRAMP stores the security details of the CSO, whichever path was used. As this post is concerned with exploring FedRAMP, it will look at the JAB authorization path, which uses FedRAMP more heavily.

The JAB Authorization Path

JAB includes Chief Information Officers (CIOs) from the General Services Administration (GSA), the Department of Homeland Security (DHS), and the Department of Defense (DoD). FedRAMP’s primary governing body performs the continuous monitoring required for authorized CSOs to remain a part of the FedRAMP program.

FedRAMP agency authorization takes place across three stages:

  • Preparation
  • Authorization
  • Continuous Monitoring

Stage 1 - Preparation

During the preparation phase, CSOs are expected to make the relevant technical and procedural adjustments required to become FedRAMP-compliant.

At this stage, several security deliverables are necessary. The CSO can put these together themselves, or they can enlist the help of a third-party assessment organization (3PAOs). In any case, a 3PAO will be necessary to audit the CSO and attest that it meets the requirements of the FedRAMP program.

The JAB evaluates CSOs through the FedRAMP Connect system. In this way, it prioritizes 12 CSOs per year using JAB Prioritization Criteria. The JAB then selects CSOs at specific times during the year.

CSOs must meet JAB Prioritization Criteria to use this service, completing a FedRAMP Business Case (a PDF and Excel worksheet) and sending it to info@fedramp.gov to prove their need for a fast-tracked security authorization. Mostly, this involves proving there is already a wide federal agency demand for the CSO.

Following this, a Readiness Assessment is required. While this is optional if a CSO works directly with an agency, it is obligatory for those using the JAB authorization process.

The Readiness Assessment includes:

  • Development of the Readiness Assessment Report (RAR)
  • A review of the RAR
  • Remediation, if required

When the CSO is deemed FedRAMP Ready, it can then undergo a full security assessment. This assessment involves:

  • Finalizing the System Security Plan (SSP) and connecting with an approved 3PAO
  • Development of a Security Assessment Plan (SAP) by the 3PAO, a full security assessment, and the production of a Security Assessment Report (SAR)
  • Development of a Plan of Action and Milestones (POA&M) by the CSP, which is intended to monitor and manage security risks based on the SAR
  • Deliverables confirming one month of continuous monitoring

These four categories of information should be submitted simultaneously using templates provided at fedramp.gov.

How long preparation takes depends on the CSO’s infrastructure and security posture in relation to government standards. Following a full month of continuous monitoring, the process will take at least two weeks to progress to the next stage, which is authorization.

Stage 2 - Authorization

Once initialized, this part of the JAB authorization path takes roughly three months to complete. During this time, the JAB performs a security package review, a risk analysis, and determines which risks to accept.

Reviewing the Readiness Assessment, remediation, and final review should each take around four weeks. Having passed successfully through this security assessment, the CSO can receive a Provisional Authority to Operate (P-ATO) and a FedRAMP Marketplace Designation.

Whichever route is taken, whether direct or through a JAB, the security packages are stored by FedRAMP for review, risk analysis, and reuse.

Stage 3 - Continuous Monitoring

This is arguably post-authorization, but it is nonetheless a critical part of the security authorization process CSOs seeking contracts with the US Government.

All CSOs that have achieved FedRAMP-compliance must submit to the following:

In addition, its deliverables must include:

Ultimately, individual agencies are responsible for final approval regarding CSOs. However, JAB facilitates continuous monitoring and helps federal agencies make those decisions.

Throughout the continuous monitoring process, The JAB maintains responsibility for the following:

  • Regularly reviewing continuous monitoring and security artifacts
  • Suspending or revoking a CSO’s P-ATO, according to FedRAMP compliance criteria
  • Authorizing or denying a CSO’s Deviation and Significant Change Requests
  • Ensuring the prompt transmission of continuous monitoring deliverables to leveraging agencies

Levels of FedRAMP Agency Authorization

Achieving JAB authorization is not the end game for FedRAMP certification. Continuous monitoring means constantly maintaining the levels attained during the preparation phase and any remedial activities.

Furthermore, there are three security authorization levels. The category into which a CSO falls determines which federal agencies could potentially partner with it.

To categorize CSOs, JAB considers three common and pivotal cybersecurity objectives: Confidentiality, Integrity, and Availability (CIA).

  • ConfidentialityAccess to information systems must include data and privacy protection protocols.
  • Integrity — Information in storage must be protected from being destroyed or modified without authorization.
  • Availability — The information stored by the CSO must be readily available.

In view of these three considerations and using security controls derived from the National Institute of Standards and Technology’s NIST SP 800-53, CSOs can find themselves placed in one of three impact levels according to their security postures:

  • Low impact
  • Moderate impact
  • High impact

Low Impact Level

This is the category for CSOs suitable for processing or storing low-impact data. The low impact here means that compromising confidentiality, integrity, or availability would have limited negative effects on the federal agency.

According to FedRAMP, low-impact data has two baselines:

LI-Saas Baseline

This refers to Low-Impact Saas (Software as a Service) applications that only store personally identifiable information (PII) for login purposes. Accordingly, a CSO requires fewer security controls to achieve and maintain this level of FedRAMP accreditation.

Low Baseline

The low baseline impact categorization necessitates more NIST 800-53 security controls than Li-Saas Baseline and nonetheless requires testing and verification, but fewer are required than for Moderate or High Impact CSOs.

Moderate Impact Level

Most CSP applications achieving a FedRAMP certification are in the moderate impact category. This is for CSOs in which the loss of the CIA would cause significant negative effects for a federal agency in terms of its people, its assets, and its operations.

High Impact Level

The High Impact Level category is usually reserved for CSOs that work with critical systems, such as those in finance, healthcare, law enforcement, and emergency services. Loss of CIA for such services could lead to severe or even catastrophic detrimental effects.

Ready to see
UpGuard in action?