Navigating The Paths To FedRAMP Authorization
December 15, 2020 • Jacob Nix
Finding the most effective, efficient path to FedRAMP authorization is a key strategic initiative for anyone providing technology enabled products and services to the federal government. That being said, choosing the right path can be a nebulous task. At RISCPoint, our FedRAMP advisory services are designed to support companies as they navigate the entire process from start to finish, with the least friction possible.
If your organization is currently seeking FedRAMP Certification assistance, read on.
Why is a FedRAMP Authorization Important?
The Federal Risk and Authorization Management Program (FedRAMP) was created to provide a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services being utilized by the federal government.
Who should consider a FedRAMP Authorization?
Any Cloud Service Provider (CSP) which is working with the federal government. Per an OMB memorandum, any cloud service offering (CSO) holding federal data must have a FedRAMP authorization. In addition to the mandate by OMB, many organizations are considering a FedRAMP authorization due to requirements from potential federal customers and overall the ability to market the service(s) on the FedRAMP Marketplace overall.
Paths to a FedRAMP Authorization
Organizations seeking an authorization, will work closely with the FedRAMP Program Management Office (PMO). The PMO is responsible for providing a consistent process for all stakeholders, enabling services reuse across the government, and providing a secure repository and marketplace. It also acts as an overall key partner to CSPs going through the authorization process.
The ultimate goal of the FedRAMP authorization process is to achieve an Authority to Operate (ATO) status. There are two distinct paths to do so:
Joint Authorization Board (JAB)
The JAB is the primary governance and decision-making body for FedRAMP. They define and establish the FedRAMP baseline system security controls and the accreditation criteria for the Third-Party Assessment Organizations (3PAOs), but they also work with the PMO to ensure controls are incorporated consistently for all security assessments and authorizations.
Any CSP utilizing JAB authorization path for their CSO has to go through a bi-annual prioritization process, which includes the submission of a business plan and a review by the JAB, which will look for the CSOs most likely to be leveraged by multiple governmental agencies. The end result of a JAB authorization is a Provisional Authority to Operate (P-ATO).
JAB Authorization Path source fedramp.gov
A CSP that has a relationship with a federal agency (note: state and local government agencies are not qualified to be a sponsor) can work directly with them to pursue an Authority to Operate (ATO), where the agency will support the CSP through the acquisition and FedRAMP authorization process. Ultimately, the Agency’s Authorizing Official (AO) must review and accept the risk associated with the use of the specific cloud service offering. The Agency sponsor will also perform the monthly and annual deliverables provided by the CSP (covered in “Maintaining a FedRAMP authorization” below).
Agency Authorization Path source fedramp.gov
What we recommend
Although both paths lead to an authorization under FedRAMP, the two have significantly different processes. At RISCPoint, we recommend exploring the Agency sponsorship path, which allows for risk acceptance while helping organizations avoid the JAB prioritization process. In certain cases, this path also enables your CSO to go directly through the 3PAO Security Assessment (thereby potentially skipping a FedRAMP Readiness Assessment), which may allow for a quicker authorization path.
Getting ready for FedRAMP
Understanding your CSO’s and organization’s preparedness and viability for the FedRAMP authorization process is crucial. A CSP should be prepared to demonstrate whether its service is operational or is under development, in addition to the extent of the current demand for the service in the federal market.
That being said, a few key items related to the CSP’s cloud offering must be checked off at the onset of the authorization process:
- Explore utilizing existing or potential Agency Partners
- Define your cloud service offering as one of the service models defined in NIST SP 800-145
- Determine and define the CSO’s Authorization Boundary, including:
- Define Federal Information in the Cloud (as well as Metadata associated with the cloud)
- Identify and document all Interconnection and External Services in the cloud (including leveraging External Services with a FedRAMP Authorization)
- Document Corporate Services
- Determine the Impact Levels – Low, Moderate, High (based on FIPS 199) – this will determine the in-scope controls and subsequent level of effort for both the preparation phase, but also the assessment
- Determine the CSO Deployment Model, which usually falls within one of the following categories:
- Federal Government Cloud Only
- Government Only Cloud
- DoD Only Cloud
- Public Cloud
- Private Cloud
- Prepare for the authorization assessment by a 3PAO by reviewing and updating all required documentation against current state (including the required System Security Plan (SSP)
During this last step, many organizations leverage documentation developed for other compliance frameworks (SOC 1, SOC 2, HITRUST, FISMA, PCI, ISO 27001, etc.). Understanding the overlap between the different standards, as well as the differences between them, becomes that much more important. In FedRAMP’s case, this could be quite significant.
At RISCPoint, we specialize in developing custom roadmaps for all of our clients. Our team of experienced FedRAMP advisors allow for a much more efficient process, a quicker time to authorization, and, overall, a more optimized compliance posture permits organizations to maintain multiple standards, while minimizing the level of effort and budget spent on compliance.
It is also worthy to note that the preparation phase is often where most organizations fall short of the rigorous expectations set forth by FedRAMP. By partnering with FedRAMP experts, organizations are not only able to complete the process in the most efficient manner, but can avoid common pitfalls with FedRAMP, such as not accurately defining the authorization boundary, not having FIPS 140-2 validated encryption algorithms, not implementing MFA appropriately, poor configuration documentation and immature management processes, not applying the right resources up front, and many others.
Maintaining a FedRAMP authorization
Once you’ve obtained your FedRAMP Authorization, the FedRAMP journey isn’t over. We don’t get to pack our bags and just go home.
Moving forward, all authorized CSPs must provide monthly, continuous monitoring deliverables to the agencies using their service. These deliverables typically include, but are not limited to, an updated POA&M, scan results/reports, and system change information/requests, as agreed upon between the Agency and the CSP. Each agency using the service reviews the monthly continuous monitoring deliverables, but they do not need to be shared with FedRAMP. Additionally, a CSP must employ a 3PAO to complete an annual security assessment to ensure that the risk posture of the system is maintained at an acceptable level throughout the lifecycle of the system.
A lot of organizations rely on experienced FedRAMP advisors, such as RISCPoint, to assist in managing or executing their continuous monitoring responsibilities because of our proven track record, tailored solutions, and customer-first approach. We achieve this success by:
- Only deploying teams of industry experts who have assisted a number of cloud providers achieve authorization.
- Attracting top tier talent, having FedRAMP advisors who have worked with and for some of the largest 3PAOs and bring the knowledge of what auditors, authorizing officials, and the FedRAMP PMO look for during the authorization process.
- Utilizing a wide partner network includes security software vendors, hosting providers, as well as security engineers – we will be your one-stop-shop for all your authorization needs.
- Understanding the entire Cybersecurity and compliance ecosystem. We offer a wide range of security and compliance services and specialize in the development of enterprise-wise controls environments which will allow you to meet multiple standards and frameworks (SOC 1, SOC2, HITRUST, HIPAA, ISO 27001, and others) and minimize the time spent on audit and compliance works so you can focus on your day-to-day operations.
Have questions about how our work can work for you? Get in touch with us with the form below.