FedRAMP authorization is the main prerequisite to offering cloud services to the US Government. Learn more about the authorization requirements.
With hundreds of departments and agencies, the US Government is one of the largest cloud services consumers. Many cloud service providers (CSPs) are competing to become federal partners. At the same time, federal agencies are often reluctant to embrace cloud technologies due to multiple security challenges and an intense cloud adoption process. To empower the agencies to use cloud products and services, provide CSP with equal conditions for contract awards, and ensure safety within the government-used cloud environments, the US Government established the Federal Risk and Authorization Management Program (FedRAMP).
The FedRAMP is a government-wide program established in 2011 to secure cloud service environments used by federal agencies. The main aim of the program is to “provide a cost-effective, risk-based approach for the adoption and use of cloud services by the federal government.” Understanding that cloud adoption is critical in the digital era, FedRAMP empowered agencies to use modern technologies while paying particular attention to cloud security. Specifically, the program is aimed to protect cloud-based federal information and accelerate the adoption of secure cloud solutions.
FedRAMP standardizes security requirements for the authorization and cybersecurity of cloud services in accordance with the Federal Information Security Management Act (FISMA). Both FedRAMP and FISMA use the NIST SP 800-53 security controls. Per FISMA, NIST 800-53 is used for establishing “policies which shall set the framework for information technology standards for the Federal Government.” Per FedRAMP, NIST defines the security controls, parameters, and guidelines that address the unique elements of cloud computing. In plain language, FedRAMP is FISMA for the cloud.
FedRAMP is mandatory for all federal cloud deployments and service models at the high, moderate, and low-risk impact levels. It means that the FedRAMP Authorization is now a goal for all cloud service providers who offer their services to the government. Despite the intensity of the authorization process, many CSPs are actively working towards FedRAMP authorization. The total number of authorized cloud service vendors is now 236, and this number keeps increasing.
The Joint Authorization Board (JAB) is the FedRAMP’s primary governance and decision-making body. It consists of the Chief Information Officers from the Department of Defense (DoD), the Department of Homeland Security (DHS), and the General Services Administration (GSA). The JAB, among other things, is responsible for:
FedRAMP Program Management Office (PMO) is another critical body within the FedRAMP. The mission of the PMO is to:
As for now, FedRAMP is positioned as a “do once, use many times” framework. Thus, the program’s first benefit is streamlining the approval process for CSPs to provide cloud services to federal agencies. Specifically, CSPs can obtain the FedRAMP authorization once and reuse it while working with any federal agency. Such an approach eliminates duplicative efforts and provides CSPs with more opportunities to offer their services.
Second, the FedRAMP implies continuous improvement and adaptability. When most federal agencies are reluctant to adopt technological innovations, FedRAMP aligns the cloud adoption efforts and makes cloud transformation adaptable, agile, and adjustable. Such characteristics are beneficial for both CSPs and the government.
Third, FedRAMP enables federal structures to accelerate the adoption of cloud computing by creating transparent standards and processes for security authorizations. This transparency contributes to building trust between the CSPs and federal agencies, making them more confident about the safety and security of cloud-based data.
Despite the FedRAMP’s high mission and mandate, criticism exists. Many CSPs argue that the FedRAMP creates more barriers than benefits to distribute their service offerings. This criticism is mainly related to the FedRAMP approval process, which is very time- and resource-intense. It may take anywhere between six months and two years.
The FedRAMP compliance requirements are outlined in NIST SP 800-53 and supplemented by the FedRAMP PMO. Before being eligible to serve federal agencies, CSPs must undergo an approval process and obtain FedRAMP (ATO).
CSPs can obtain FedRAMP ATO in two ways – either from the Agency Partner (the first agency to grant an ATO) or JAB. These paths differ in the following ways:
The agency authorization is granted through assigned officers responsible for making the risk decisions on behalf of the agency. The officers can decide whether a CSP is a reliable vendor for the Agency Partner as well as for the other federal structures. As such, they can grant the FedRAMP ATO, which other agencies may reuse.
JAB, in contrast, can only provide a provisional authorization (FedRAMP P-ATO) because it does not have the authority to accept risk on behalf of any federal agency. P-ATO entails more stringent requirements because it must be approved by DoD, DHS, and GSA. The P-ATO can be used as an initial approval that agencies leverage in granting security authorizations and an accompanying ATO for use.
At the beginning of the authorization process, all CSPs wanting to cooperate with federal agencies must complete the necessary FedRAMP documentation. Among other documents, CSPs must pay special attention to the FedRAMP System Security Plan (SSP) and the FedRAMP FIPS 199 Categorization. The first must outline how the CSP implements the security requirements, the second – record all the existing controls.
When all the documents and controls are in place, the CSP should notify the FedRAMP PMO about the intent to pursue FedRAMP Authorization and initiate the following compliance steps. For this purpose, it is necessary to complete the PMO’s CSP Information Form.
At this stage, the CSPs should work in partnership with 3PAO to complete a Readiness Assessment Report. Among other things, the report should include the CSP’s system information and capability to meet the FedRAMP security requirements.
If the Assessment Report has a favorable risk recommendation from 3PAO, it may be submitted to PMO to revise and assign the FedRAMP Ready designation status. If PMO deems the Report unacceptable, the CSP should take necessary remediation measures and develop a Plan of Actions and Milestones (POA&M).
The FedRAMP Ready designation status is valid for one calendar year from the date of designation by the FedRAMP PMO. It indicates that the CSP has a high likelihood of achieving a FedRAMP Authorization.
FedRAMP in Process designation is provided to CSPs actively working toward a FedRAMP authorization with either the JAB or a federal agency. For JAB, CSP should go through a process called ”FedRAMP Connect”. The process requires CSPs to submit a business case with detailed product information – cloud service offering (CSO), and government-wide demand. The criteria for business cases and evaluation are described in the JAB Prioritization Criteria and Guidance document.
In order to be listed as FedRAMP In Process with an agency, a CSP must obtain written confirmation of the agency’s intent to authorize. Additionally, at least one of four requirements must be fulfilled.
The FedRAMP Authorized designation is provided to CSPs that have successfully completed the FedRAMP authorization process with the JAB or a federal agency. FedRAMP Authorized indicates that all FedRAMP requirements have been met, and a CSO’s security package is available for agency reuse.
After getting FedRAMP ATO, CSPs should maintain and validate the security posture of their service offering. As such, there is a lot of tough work ahead. Among other things, the CSP must conduct vulnerability management, which entails monthly operating system, database, and web application scanning reports, conduct annual assessments, and incident reports. Continuous monitoring would ensure that the organization maintains an appropriate security posture.
The program provides a FedRAMP Marketplace database of all stakeholders involved. It contains CSOs that have achieved any of the FedRAMP designation statuses (either Ready, In Process, or Authorized). The Marketplace database also lists all the accredited auditors (3PAOs) that can perform the FedRAMP assessment. Finally, it contains a catalog of the partnering CSPs for a FedRAMP Authorization. As such, organizations may use the FedRAMP Marketplace as a resource to:
If you have any questions regarding the FedRAMP authorization assessment or need help with performing all the preparation steps, contact our Planet 9 team. We’ll be happy to assist.