What is FedRAMP Compliance?
The Federal Risk and Authorization Management Program or FedRAMP for short is a standardized security assessment and authorization program for all cloud products and services used by federal government agencies. Introduced in 2012, FedRAMP was developed in response to the increased use of cloud computing on the part of large scale businesses and corporations around the U.S. FedRAMP was developed in accordance with the Federal Information Security Modernization Act of 2014 or FISMA 2014 as one of many of the measures taken by the federal government to update its technological infrastructure.
The FedRAMP is mandatory for all US federal agencies and any cloud computing services that these entities may employ. To this end, FedRAMP is governed by the Office of Management and Budget or OMB, the US General Services Administration or GSA, the US Department of Homeland Security or DHS, the US Department of Defense or DoD, the National Institute of Standards & Technology or NIST, and the Federal Chief Information Officers or CIO Council. FedRAMP is important for federal agencies for the following reasons:
- It promotes both consistency and confidence in regards to the cloud computing systems used by government agencies in accordance with standards set forth by the National Institutes of Standards & Technology or NIST and the FISMA 2014.
- It promotes transparency between the U.S. government and their cloud service providers.
- It promotes both automation and real time continuous monitoring in relation to cloud service providers.
- It promotes the adoption of secure cloud solutions on the part of the U.S. government through the reuse of assessments and authorizations.
What are the requirements for FedRAMP compliance?
Under FedRAMP, federal agencies who make use of cloud computing solutions during the course of their duties and operations are obliged to conduct security assessments and authorizations, as well as maintain the continuous monitoring of related cloud services. To this end, the FedRAMP Program Management Office or PMO has set forth the following requirements that federal agencies must comply with:
- Cloud service providers or CSP’s must be granted either an Agency Authority to Operate or ATO by a U.S. federal agency or a Provisional Authority to Operate or P-ATO by the Joint Authorization Board or JAB.
- Cloud service providers must meet all FedRAMP security control requirements in accordance with the National Institutes of Standards & Technology or NIST 800-53, Rev. 4 security control baseline for moderate and high impact levels.
- All cloud solution security packages must make use of required FedRAMP templates.
- All cloud service providers used by federal agencies must first be approved by a third-party assessment organization or 3PAO.
- All completed security assessment packages must be posted in the FedRAMP secure repository.
What are the two types of FedRAMP compliance?
Federal agencies who are looking to achieve FedRAMP compliance with respect to their cloud service providers can adhere to the two following pathways:
- Joint Authorization Board or JAB Authorization – In order to receive FedRAMP FedRAMP JAB Provisional Authority to Operate or P-ATO, a cloud service provider must first be assessed by a FedRAMP accredited 3PAO, undergo review by the FedRAMP PMO, and receive a P-ATO from the JAB. The JAB is comprised of the Chief Information Officers or CIOs from the Department of Defense or DoD, the Department of Homeland Security or DHS, and the General Services Administration or GSA.
- Agency Authorization – Alternatively, government agencies can also achieve FedRAMP compliance through agency authorization. Under this pathway, a cloud service provider is first reviewed by a customer agency CIO or a Delegated Authorizing Official to achieve a FedRAMP-compliant ATO that is then verified by the FedRAMP Program Management Office or PMO.
Irrespective of the pathway that a particular government agency takes in terms of FedRAMP compliance, FedRAMP authorization involves the following four steps:
- Package development – The first step in achieving FedRAMP compliance is the development of a system security plan. After an appropriate system security plan is developed, a FedRAMP approved third party assessment organization will then be prompted to develop a security plan assessment plan.
- Assessment – The third party assessment organization will then be required to submit a security assessment report, including a specific plan of action, in addition to milestones.
- Authorization – In the third step of the process, the JAB or applicable authorizing government agency will then need to decide whether the risks laid out in the first two steps of the process are deemed to be acceptable. If these risks are deemed to be acceptable, an Authority to Operate letter to the FedRAMP will then need to be submitted to the appropriate project management office. Additionally, the cloud service provider will be listed in the FedRAMP marketplace.
- Monitoring – In the final step of the authorization process, the cloud service provider who is working with a federal agency will then be responsible for sending monthly security monitoring deliverables to each federal agency using the service.
As online technology continues to change the ways in which employees go about their day to day job functions, regulations such as FedRAMP are more important than ever before. In accordance with the FISMA 2014, the FedRAMP is any way in which the U.S. government has sought to modernize its technological framework. As websites used by federal agencies will undoubtedly have a greater risk of being impacted by cyber attacks than other websites, laws such as FedRAMP stand guard against such attacks. As such, American citizens can rest assured that the U.S. government is taking all the necessary steps to protect it’s cloud based computing infrastructure.