Navigating The Paths To FedRAMP Authorization
December 15, 2020 • Jacob Nix
Finding the most effective and efficient path to FedRAMP authorization is a key strategic initiative for anyone providing technology enabled products and services to the federal government. The Federal Risk and Authorization Management Program (FedRAMP) was created to provide a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services being utilized by the federal government.
Why is a FedRAMP Authorization Important?
Any Cloud Service Provider (CSP) which is working with the federal government, should be considering a FedRAMP authorization. Per an OMB memorandum, any cloud service offering (CSO) which holds federal data must have a FedRAMP authorization. In addition to the mandate by OMB, many organizations are considering a FedRAMP authorization due to requirements from potential federal customers and overall the ability to market the service(s) on the FedRAMP Marketplace.
Paths to a FedRAMP Authorization
Organizations seeking an authorization, will work closely with the FedRAMP Program Management Office (PMO). The PMO is a responsible for providing a consistent process for all stakeholders, enables services reuse across the government, provides a secure repository and marketplace, as well as is an overall key partner to CSPs going through the authorization process.
The FedRAMP authorization process has two distinct paths to achieving an Authority to Operate (ATO):
Joint Authorization Board (JAB)
The JAB is the primary governance and decision-making body for FedRAMP. They define and establish the FedRAMP baseline system security controls and the accreditation criteria for the Third-Party Assessment Organizations (3PAOs) but also work with the PMO to ensure controls are incorporated and consistent for all security assessments and authorizations.
Any CSP that goes down the JAB authorization path for their CSO, has to go through a bi-annual prioritization process, which includes the submission of a business plan and a review by the JAB, who look for the CSOs that are most likely to be leveraged by multiple governmental agencies. The end result of a JAB authorization is a Provisional Authority to Operate (P-ATO).
JAB Authorization Path source fedramp.gov
A CSP that has a relationship with a federal agency (note: state and local government agencies are not qualified to be a sponsor) can work directly with them to pursue an Authority to Operate (ATO) where the agency will support the CSP through the acquisition and FedRAMP authorization process. Ultimately, the Agency’s Authorizing Official (AO) must review and accept the risk associated with the use of the specific cloud service offering. The Agency sponsor will also perform the monthly and annual deliverables provided by the CSP (covered in “Maintaining a FedRAMP authorization” below).
Agency Authorization Path source fedramp.gov
Although both paths lead to an authorization under FedRAMP, the two have significant process differences. We recommend exploring the Agency sponsorship path, which allows for risk acceptance, allows you to avoid the JAB prioritization process, and in certain cases, allows your CSO to go directly through the 3PAO Security Assessment (potentially skipping a Readiness Assessment) which may allow for a quicker authorization path.
Getting ready for FedRAMP
As guided by FedRAMP, it is also important to understand your CSO’s and organization’s preparedness and viability for the FedRAMP authorization process. A Cloud Service Provider (CSP) should be prepared to demonstrate whether its service is operational or is under development and the extent of the current demand for the service in the federal market.
A CSP will need to define a few key items related to their cloud offering at the onset of the authorization process:
- Explore utilizing existing or potential Agency Partners
- Define your cloud service offering as one of the service models defined in NIST SP 800-145
- Determine and define the CSO’s Authorization Boundary, including:
- Define Federal Information in the Cloud (as well as Metadata associated with the cloud)
- Identify and document all Interconnection and External Services in the cloud (including leveraging External Services with a FedRAMP Authorization)
- Document Corporate Services
- Determine the Impact Levels – Low, Moderate, High (based on FIPS 199) – this will determine the in-scope controls and subsequent level of effort for both the preparation phase, but also the assessment
- Determine the CSO Deployment Model, which usually falls within one of the following categories:
- Federal Government Cloud Only
- Government Only Cloud
- DoD Only Cloud
- Public Cloud
- Private Cloud
- Prepare for the authorization assessment by a 3PAO by reviewing and updating all required documentation against current state (including the required System Security Plan (SSP)
During this last step, many organizations leverage documentation developed for other compliance frameworks (SOC 1, SOC 2, HITRUST, FISMA, PCI, ISO 27001, etc.). It is imperative that your organization understands the overlap between the different standards, but also the differences, which in the case of FedRAMP can be significant. We specialize in developing custom roadmaps for all of our clients. This allows for a much more efficient process, a quicker time to authorization, and an overall more optimized compliance posture that allows you to maintain multiple standards while minimizing the level of effort and spend on compliance.
Also, it is during the preparation phase where most organizations fall short of the rigorous expectation of the FedRAMP authorization process. It is best to partner with an experienced advisory partner, who can navigate and guide your organization through the process from start to finish. This will not only help get you through the process in the most efficient manner, but also will allow you to avoid common pitfalls with FedRAMP, such as not accurately defining the authorization boundary, not having FIPS 140-2 validated encryption algorithms, not implementing MFA appropriately, poor configuration documentation and immature management processes, not applying the right resources up front, and many others.
Maintaining a FedRAMP authorization
Once you’ve obtained your FedRAMP Authorization, the FedRAMP journey does not end - a CSP must provide monthly continuous monitoring deliverables to the agencies that are using their service. These deliverables typically include but are not limited to an updated POA&M, scan results/reports, and system change information/requests, as agreed upon between the Agency and the CSP. Each Agency using the service reviews the monthly continuous monitoring deliverables, but they do not need to be shared with FedRAMP. Additionally, a CSP must employ a 3PAO to complete an annual security assessment to ensure that the risk posture of the system is maintained at an acceptable level throughout the lifecycle of the system.
A lot of organizations rely on experienced Advisory Partners, such as RISCPoint, to assist in managing or executing their continuous monitoring responsibilities. This allows them to ensure that all requirements are met and that their ATO will remain valid after the initial authorization effort.
Many organizations continue to trust RISCPoint for all of their FedRAMP and overall compliance needs given our proven track record, tailored solutions, and customer-first approach. We achieve this success by:
- Only deploying teams of industry experts who have assisted a number of cloud providers achieve authorization.
- Attracting top tier talent, having FedRAMP advisors who have worked with and for some of the largest 3PAOs and bring the knowledge of what auditors, authorizing officials, and the FedRAMP PMO look for during the authorization process.
- Utilizing a wide partner network includes security software vendors, hosting providers, as well as security engineers – we will be your one-stop-shop for all your authorization needs.
- Understanding the entire Cybersecurity and compliance ecosystem. We offer a wide range of security and compliance services and specialize in the development of enterprise-wise controls environments which will allow you to meet multiple standards and frameworks (SOC 1, SOC2, HITRUST, HIPAA, ISO 27001, and others) and minimize the time spent on audit and compliance works so you can focus on your day-to-day operations.