Understanding FedRAMP Compliance and Authorization

What is FedRAMP?

FedRAMP, the Federal Risk and Authorization Management Program, is a framework your organization can use to build cloud security into your overall security program, including cloud security assessments, monitoring, and process implementation. FedRAMP is a requirement for all cloud services providers (CSPs) and cloud solutions used by federal government agencies that handle federal data.

The FedRAMP program has been in place for nearly a decade, following a 2011 memo from the U.S. Federal Office of Management and Budget (OMB) establishing guidelines for federal cloud security. Since then, an increasing number of federal agencies have adopted cloud technologies and cloud services providers, opening up new avenues for bad actors wanting to maliciously access, exfiltrate, or corrupt sensitive and important federal information.

In this FedRAMP compliance knowledgebase, we’ll help you better understand what FedRAMP is, who should be FedRAMP authorized, and establish a foundation to help set you on the course for a FedRAMP authorization.

Understanding the FedRAMP Authorization Requirements

From cost-savings to ease of scaling, cloud solutions provide organizations with a number of benefits, but moving protected and sensitive federal data from on-premises to the cloud also creates new challenges.

Among these challenges are increasingly complex methods needed to secure data, especially for small and mid-sized businesses (SMBs) that may lack the resources or available talent to add cloud security into existing cybersecurity practices.

Threat actors know many CSPs and other cloud solutions have access to a gamut of sensitive and valuable data and that puts them increasingly in these attackers’ crosshairs for nefarious actions. Oracle’s 2020 Cloud Threat Report, for example, reveals that 92% of respondents know they have a cloud-readiness gap and more than half—60%—say they’ve been victims of cloud credentials phishing.

The federal government established FedRAMP to help streamline best practices for cloud security for all federal agencies and the partners they work with. Before the General Services Administration (GSA) established the FedRAMP Program Management Office (PMO) in 2012, these federal agencies had their own security requirements for CSPs. Before FedRAMP, if one agency approved a cloud service provider, the CSP had to go through a repeat process before approval by another. As a result, there was little consistency and a lot of duplicate work, both for the government and their potential services partners.

Today, these cloud security best practices are aligned with the Federal Information Security Modernization Act (FISMA), which requires all agencies to protect federal data, and OMB Circular A-130, which dictates that agencies use National Institute of Standards and Technology (NIST) standards when implementing FISMA.

FedRAMP streamlines cloud security approaches into standardized security measures your organization can implement and measure with a common baseline.

There are two ways your organization can become FedRAMP authorized. One is by earning a Joint Authorization Board (JAB) Provisional Authority to Operate (P-ATO) and the other is to earn an individual FedRAMP Agency Authorization to Operate (ATO). If your organization successfully completes a FedRAMP authorization to work with one federal agency, you can use that authorization package to work with other agencies.

Organizations that successfully obtain authorization must undergo continuous monitoring and are subject to annual re-assessments to retain authorized status.

Should My Organization be FedRAMP Authorized?

If you’re a cloud service provider or host a cloud software solution and you create, process, store, or transmit federal data, you are required to be FedRAMP complaint and successfully earn—and maintain—a FedRAMP authorization.

In addition to being able to do business with federal agencies, as a FedRAMP authorized organization, you can expand your service offerings to other federal agencies and demonstrate to these agencies and others that you take information security seriously and that you’ve implemented, tested, and demonstrated that your data security controls are effective and meet industry best practices.

Today, there are 218 cloud services organizations in the FedRAMP Marketplace that have successfully earned FedRAMP authorization. Another 54 are in process with an additional 35 designated as FedRAMP Ready.

Reaping the Benefits of FedRAMP Authorization for Your Organization

There are a number of benefits of adopting cloud security best practices from industry-approved frameworks.

Frameworks such as FedRAMP remove the guesswork from your processes and help you build a cloud security program with controls and procedures other organizations have successfully implemented and demonstrate effectiveness against potential breaches and other cyber-threats.

Another benefit of FedRAMP framework adoption is it can help your organization decrease duplicate efforts and achieve cost and process efficiencies. For example, if you successfully earn a FedRAMP authorization from one federal agency, you can use that authorization package as a foundation for working with other agencies.

FedRAMP Framework Alignments

FedRAMP aligns with other industry recognized best practices for security such as FISMA and NIST. FISMA mandates that all agencies protect federal data, while NIST standards define requirements for cloud security including how to do assessments and what processes you should implement to successfully ensure FedRAMP compliance. If your organization has already implemented NIST SP 800-53 standards, you may be well on your way to earning your FedRAMP Authorized designation. That’s because FedRAMP controls are based on NIST 800-53 standards but they’ve been adjusted to meet cloud security needs.

Did you know that you can use Apptega to crosswalk multiple security frameworks used by your organization?

Apptega’s Harmony intelligent framework mapping engine helps you manage all of your controls, giving you insight into where individual controls are applicable across multiple frameworks, including sub-controls, resources, and security related activities. Harmony helps you eliminate redundancy, gives you insight into the effectiveness of your controls, and helps you quickly identify gaps that need more attention.

Understanding FedRAMP Impact Levels

FedRAMP outlines three impact levels for cloud security offerings:

• Low
• Moderate
• High

FedRAMP impact levels align with three core security objectives:

• Confidentiality: Protections of personal and proprietary information
• Integrity: Ensuring sufficient safeguards for information so it cannot be modified or destroyed
• Availability: Ensuring information can be timely and reliability accessed

Before beginning your FedRAMP authorization process, you should understand which impact level is applicable for your organization. Let’s take a closer look at each level and what they mean in relation to Federal Information Processing Standards 199 (FIPS), which establishes standards organizations must meet for information systems and information categorization:

Understanding FedRAMP Authorization Paths

If you’re a cloud services provider or a cloud software provider and you want to work with federal agencies, you’ll need to obtain formal authorization first. There are two types of authorization that demonstrate your organization meets FedRAMP compliance requirements:

• 1. Joint Authorization Board (JAB) Provisional Authority to Operate (P-ATO): For large, multi-tenant CSPs that offer a wide range of capabilities or use cases and would likely be used by multiple federal agencies.
• 2. FedRAMP Agency Authority to Operate (ATO): Most organizations are probably best suited for an ATO designation, which means the CSPs capabilities are likely limited to a few federal agencies.

How to Earn a FedRAMP JAB P-ATO Authorization

Each year the Joint Authorization Board (JAB) reviews CSPs on the government’s behalf to determine each CSPs risk posture. Each year, JAB generally selects about 12 large, multi-tenant CSPs for P-ATO consideration, usually three for each quarter.

During this process, the JAB will determine if the CSP meets all FedRAMP requirements and will determine if the CSPs capabilities are applicable to multiple federal agencies. If yes, the CSP can undergo the process to obtain P-ATO authorization, and once designated, will remain under JAB ongoing monitoring and will be subject to annual reviews to ensure sustained compliance.

Here’s a quick walkthrough of the P-ATO authorization process:

• If you believe your organization meets P-ATO criteria, you must submit a business use case as part of FedRAMP Connect before consideration for the next phase of the P-ATO authorization Process. This use case should outline your organization’s capabilities, strengths, and solution benefits.
• The JAB will evaluate your organization against a range of criteria.
• If you make it through FedRAMP Connect, you have 60 days to earn an official FedRAMP Ready designation from the Federal Risk and Authorization Management Program.
• During the FedRAMP Ready process, you must work with an accredited third-party assessment organization (3PAO) to complete an independent security assessment. Successfully completing this assessment, including a Readiness Assessment Report (RAR) of your current security posture and capabilities, indicates your organization is ready to move on to the next phase of the FedRAMP authorization process.

• After FedRAMP Ready, you’ll be subject to a full security assessment, including:
• Finalizing your System Security Plan (SSP)
• Working with a FedRAMP 3PAO to complete an assessment against FedRAMP requirements and security controls
  Receive a Security Assessment Report (SAR)
• Establish a Plan of Action and Milestones (POA&M) that outlines your plans to address any security gaps listed in your SAR
• Include your SSP, SAR, and POA&M in a security package for JAB review
• During the authorization review phase, JAB will review your security package, a process that can take several weeks.
• If JAB determines you meet FedRAMP requirements, your organization will receive a P-ATO designation.
• As a P-ATO, your organization is subject to continuous JAB monitoring and annual assessments to ensure ongoing compliance

How to Earn a FedRAMP Agency ATO

Most organizations will want to pursue an individual ATO. That means your capabilities aren’t as far-reaching or not likely to be as widely adopted as a larger cloud solution. This is generally applicable for organizations that want to work with just one or two federal agencies. Unlike P-ATO, which is overseen by a board, an ATO designation comes directly from the federal agency you want to work with. If you successfully earn an ATO authorization, it’s tied directly to that agency, but you can work with other federal agencies for authorization by using your initial ATO as a starting point; however, you may be asked to meet additional requirements or address other security requirements for each new agency you want to work with.

Here’s a quick walkthrough of the Agency ATO authorization process:

• While not required, a great starting point on your ATO authorization journey is to complete a readiness assessment to determine if you meet FedRAMP requirements. This should include completing the RAR of your capabilities and security posture.
• Once you’ve completed your RAR, connect with the federal agency you want to work with. This federal agency will serve as your ATO sponsor throughout the authorization process.

• Before engaging with your federal agency, you should ensure you:
• Have a fully built solution
• Have a leadership team committed to FedRAMP processes
• Complete a CSP Information Form
• Determine data security categorization for system access
• Plan a kick-off meeting with your FedRAMP sponsor
• Complete a full security assessment with a 3PAO, including documentation of your SSP, SAP, SAR, and POA&M.
• The FedRAMP PMO will review your security package documentation
• You may be asked to partake in an SAR debrief with the PMO
• You must successfully pass a risk assessment
• If you pass the risk assessment, the federal agency can issue you an ATO letter outlining the agency’s risk tolerance
• If you successfully earn an agency ATO designation, your organization will be listed in the FedRAMP Marketplace
• Like the P-ATO, ATO authorized organizations are subject to continuous monitoring and annual compliance assessment

A Look at FedRAMP Control Families

FedRAMP controls are divided among 17 core domains, which can also be referred to as control families. Each of these 17 families spans three primary classes: technical, operational, and management.

The FedRAMP control families are based on NIST 800-53 standards, but each control is adjusted to reflect specific requirements to secure cloud environments. Each domain, or family, consists of a grouping of controls directly related to your CSPs impact level. For example, there are 125 controls for low-level impact systems; 325 controls for moderate-level impact systems; and 421 controls for high-level impact systems. You can refer to FIPS 199 to determine your CSPs’ impact level related to FedRAMP control requirements.

For example, if your solution is considered low-impact, under the Access Control family, you’d be expected to meet 11 controls; however, if your solution is moderate impact, you’d have to meet 17 controls for the Access Control family.

Here are the 17 core families:

1. Access Control

10. Media Protection

2. Awareness and Training

11. Physical and Environmental Protection

3. Audit and Accountability

12. Planning

4. Certification, Accreditation and Security Assessment

13. Personnel Security

5. Configuration Management

14. Risk Assessment

6. Contingency Planning

15. System and Services Acquisition

7. Identification and Authentication

16. System and Communications Protection

8. Incident Response

17. System and Information Integrity

9. Maintenance

For a complete list of all the domains, classes, and control requirements, check out the FedRAMP Control Quick Guide from GSA at https://www.gsa.gov/cdnstatic/FedRAMP_Control_Quick_Guide_V12_%281%29.pdf.

Preparing for Your FedRAMP Assessments

Whether you’re preparing for a readiness assessment or you’re prepping your security package for FedRAMP authorization review, some best practices can help you streamline your processes, improve documentation, and approach your assessments with confidence.

Here are a few general recommendations to help you prepare for your FedRAMP assessments:

• As we mentioned earlier, to get started with FedRAMP, you need to understand if you’re best suited for a P-ATO authorization or an individual ATO. Review your solution and evaluate if you have multi-tenant capabilities (for an P-ATO) or if you’re more likely aligned to working with just one or a couple of agencies as an ATO.
• Next, evaluate your security impact level (low, moderate, high) based on FIPS 199 standards.
• Once you know your impact level, review the FedRAMP Control Quick Guide to determine which (and how many) controls you’ll be expected to meet for your FedRAMP authorization.
• Next, evaluate your existing controls against your FedRAMP requirement to determine which controls function as intended and which controls are not in place or are not functioning properly. Make plans to implement missing controls and address performance issues for those where you fall short.
• Before engaging with a 3PAO, conduct an internal review of your security controls and identify where you’re meeting FedRAMP requirements and where you may have weaknesses.
• Document your known deficiencies as well as your plans to mitigate or remediate those risks.
• Where possible, remediate as many security weaknesses as you can and then conduct an internal review on control effectiveness before your 3PAO assessment.
• Complete a Readiness Assessment Report, and then follow up with your Security Assessment Report, a System Security Plan, and document your Plan of Action and Milestones report.

• Continuously monitor your controls and remediate any issues leading up to your formal 3PAO assessment.
• If you successfully earn your P-ATO or ATO designation, remember you’re going to be subject to continuous monitoring and annual re-evaluation. It’s a good idea to routinely conduct internal reviews before an issue occurs to keep you one step ahead of threat actors as well as mitigate potential future compliance issues.
• By continuously evaluating your program and taking the right steps to avoid a breach or other security issues, you can demonstrate your organization takes FedRAMP security seriously and in good faith you’re working toward closing all gaps and maturing your security posture.

FedRAMP FAQs

Still have a question?

Get in touch with us and we would be happy to help.