This blog was written by a third party author
The Federal Risk and Authorization Management Program (FedRAMP) is a compliance program established by the US government that sets a baseline for cloud products and services regarding their approach to authorization, security assessment, and continuous monitoring.
The program’s governing bodies include the Office of Management and Budget (OMB), US Department of Homeland Security (DHS), National Institutes of Standards & Technology (NIST), US General Services Administration (GSA), US Department of Defense (DoD), and the Federal Chief Information Officers (CIO) Council.
Any cloud service providers that wish to offer products and services to the US government must establish FedRAMP compliance. Applying the NIST Special Publication 800 series as a baseline, FedRAMP requires cloud service providers to undergo an independent security assessment conducted by a third-party assessment organization (3PAO) to ensure authorizations comply with the Federal Information Security Management Act (FISMA).
Note: The foundations of FedRAMP involve a significant number of acronyms, and as much as we tried to keep them to a minimum, they’re an essential part of the story.
FedRAMP was established to:
The goals for FedRAMP (according to FedRAMP.gov) are:
One of the most critical factors for successful government adoption of cloud computing is verifying that essential security controls are executed on any cloud solution that stores, processes, and transmits government data. With FedRAMP, cloud systems must also meet the security levels and needs for protecting government data as verified by 3PAO audit.
The FedRAMP requirements apply to cloud service providers (CSP) and cloud service offerings (CSO). Depending on the application, the two acronyms (CSPs and CSOs) are used interchangeably.
Other important FedRAMP acronyms include the authority to operate (ATO) and the FedRAMP Program Management Office (PMO).
CSPs must prove that they meet FedRAMP compliance requirements before a federal agency can use them. The authorization mechanism is called the FedRAMP Authority to Operate (ATO).
How the cloud service provider is authorized can be a significant decision for any CSP planning to offer products and services to federal agencies.
There are two methods for obtaining a FedRAMP Authorization to Operate (ATO): directly from a government agency or the Joint Authorization Board (JAB). The latter authorization is known as FedRAMP Provisional Authorization to Operate (P-ATO).
Achieving a P-ATO is a more stringent process that is only available after a CSP has achieved several individual Agency ATOs. It requires assessment and approval by the by the Joint Authorization Board (JAB) comprised of the Department of Homeland Security (DHS), Department of Defense (DoD) and the General Services Administration (GSA).
CSPs must achieve the following high-level requirements for FedRAMP certification, authorization, and compliance by the PMO:
Any organization wishing to offer their cloud-based Infrastructure-as-a-Service (IaaS), Platform as a Service (PaaS), and Software-as-a-Service (SaaS) applications and services to a U.S. government agency must demonstrate that its systems are FedRAMP compliant. As a matter of fact, every federal government contract actually includes specific FedRAMP requirement language.
It’s imperative that your organization understands as much about the FedRAMP authorization process as possible and realizes that the process requires a lot of work.
If you’re working towards FedRAMP compliance, there are two critical steps to follow:
Generally, the types of organizations that will require a FedRAMP approved security provider would be most federal government agencies as well as organizations that work with the government, like defense contractors (Lockheed Martin, Raytheon, etc.).
Finally, for organizations with advanced security requirements and especially those that must comply with FedRAMP, it’s crucial to work specifically with security vendors that are FedRAMP compliant themselves.
While this article has covered the basics, any organization seriously considering FedRAMP certification will need more specifics. For much more information and detail about FedRAMP compliance, Amazon Web Services has a great FAQ here, and the FedRAMP site has a list of important documents here.
About the Author: Mark Stone
Mark Stone is a content and copy writer with over a decade of experience covering technology, business, and cybersecurity. Earlier in his career, he was a cybersecurity analyst in the public sector. He lives in Kelowna, BC with his wife and two black cats.