Sign Up for Post Alerts

Subscribe to our newsletter and never miss new articles, tips, and updates delivered straight to your inbox.


 

FedRAMP: A Guide to Authorization and Certification

FedRAMP

As cybersecurity threats rise, customers are cautious about partnering with organizations at higher risk. The Federal government enforces cybersecurity standards like FedRAMP for its partners. Learn about FedRAMP authorization here.

What is Meant by FedRamp

FedRAMP emerged in 2011 as a response to increasing cyber threats and the growing use of cloud technologies within federal departments and agencies. It offers a cost-effective and risk-oriented framework for assessing, authorizing, and continuously monitoring cloud products and services used by federal entities that handle federal information.

Why is FedRAMP significant?

FedRAMP enhances trust in cloud solutions by implementing ongoing monitoring and maintaining a uniform application of the best information security practices and protocols. This structured, controlled method effectively reduces the vulnerability to cyberattacks.

Who requires FedRAMP Authorization?

Federal agencies utilizing cloud technology must partner with a FedRAMP-certified Cloud Service Provider (CSP). If you intend to engage with the government and host federal systems, FedRAMP is applicable to your environment, necessitating authorization.

What are the Benefits of FedRAMP Authorization? 

Gaining authorization provides several benefits for CSPs, such as:

  • Enhanced real-time security monitoring.
  • A consistent method for risk-based management.
  • Substantial cost, time, and resource savings by reducing redundancy in meeting federal cybersecurity standards.
  • Increased sharing of established security assessments among agencies.
  • Improved transparency in the government-CSP relationship.
  • Enhanced credibility, reliability, consistency, and quality in the Federal security authorization process.

How can I attain FedRAMP certification?

FedRAMP offers a standardized assessment process for Cloud Service Providers (CSPs) seeking government contracts.

CSPs have two options for authorization:

  1. Agency Sponsorship: When a government entity vouches for a CSP, expediting their approval.
  2. Joint Authorization Board (JAB): The JAB is the primary governing body for FedRAMP.

While organizations can choose their preferred path, many opt for agency sponsorship because the JAB route is highly competitive, with only 12 systems selected annually (three per quarter).

What are the main steps in the FedRAMP Assessment and Authorization process? 

Irrespective of the chosen approach (agency sponsorship or JAB), the authorization process comprises these key phases: 

  1. Preparation Phase: The provider develops a System Security Plan (SSP), followed by the creation of a Security Assessment Plan by a FedRAMP-approved third-party assessment organization (3PAO). 
  2. Full Security Assessment: This phase involves the assessment organization submitting a Security Assessment report, while the provider establishes a Plan of Action and milestones (PoAM). The security assessment evaluates the company’s adherence to NIST 800-53 controls to assess security authorizations. Continuous assessment and authorization procedures are subsequently implemented to maintain authorization. 
  3. Authorization: The JAB/authorizing agency assesses whether the described risk is acceptable. If approved, they issue an Authority to Operate (ATO) letter to the FedRAMP project management office, and the provider is listed in the FedRAMP Marketplace. 
  4. Continuous Monitoring: The provider regularly provides security monitoring reports to the organizations using the service on a monthly basis. 

What’s the FedRAMP Assessment Timeline?

Step 1: A gap assessment is recommended to address any environmental deficiencies and ensure readiness for the FedRAMP authorization assessment for FedRAMP Authorized status.

Step 2: Pre-Assessment Review (1-4 Weeks)

Step 3: Planning Activities (4 Weeks)

Step 4: Assessment Activities (7 Weeks)

Step 5: Reporting Activities (5 Weeks)

Step 6: Sponsor Issues Authority to Operate (2-3 Weeks) and listing in the FedRAMP Marketplace

Step 7: Ongoing Authorization Maintenance

What are the FedRAMP Compliance Impact Levels?

  1. Low Impact SaaS (FedRAMP Tailored or LI-SaaS): LI-SaaS, a subset of low impact, typically entails the independent assessment of 50+ controls. This designation applies to SaaS applications that only store basic login information, such as usernames and passwords, without personally identifiable information. Organizations achieving LI-SaaS status would experience minor adverse effects in the event of confidential information loss.
  2. Low Impact Level: The low impact level encompasses approximately 125 controls. Organizations with low authorization status would experience limited adverse effects in case of confidential information loss.
  3. Moderate Impact Level: The moderate impact level involves approximately 325 controls, and the majority of organizations fall into this category. The organization would face significant repercussions if confidential information in this category were to be compromised.
  4. High Impact Level: The high impact level includes roughly 425 cybersecurity controls and primarily applies to organizations in law enforcement, emergency services systems, financial systems, and health systems. Organizations should particularly pursue high impact if any loss of confidential information could result in catastrophic consequences.

Please note that the number of controls for each impact level is based on NIST 800-53 revision 4 and may change with the transition to revision 5, with the transition plan, templates, and guidance expected to be released by the end of 2022.

What are typical FedRAMP authorization challenges?

  1. Lack of Awareness Regarding Authorization Complexity: CSPs may underestimate the detailed nature of the FedRAMP security standards, which are more specific compared to general security assessments.
  2. Failure to Recognize Control Inheritance Advantages: CSPs might overlook the benefits of inheriting security controls from their underlying FedRAMP-authorized infrastructure provider, which can result in time and resource savings.
  3. Underestimating the Role of Automation: Organizations often underestimate the potential of compliance automation software to streamline and automate the authorization process.

Conclusion

In brief, FedRAMP, established in 2011 to enhance security in federal cloud technology adoption, enforces rigorous standards and continuous monitoring to reduce cyber threats. Federal agencies must collaborate with FedRAMP-certified Cloud Service Providers (CSPs) to gain authorization, yielding improved security, cost savings, and credibility. However, navigating the process, whether via agency sponsorship or the competitive Joint Authorization Board (JAB) route, comes with challenges like complexity awareness and underutilization of control inheritance and automation, critical in today’s evolving cybersecurity landscape.

A-LIGN Assurance

Written By

A-LIGN is a technology-enabled security and compliance partner that helps global organizations take a strategic approach to confidently mitigate cybersecurity risks. We bring the people, process and platform you need to secure your summit.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More Recent Posts