FedRAMP Refresher
What does getting a FedRAMP Authorization to Operate (ATO) compliance actually mean? What benefits come with it? Is it worth the immense time and monetary investment?
In case you need a refresher, FedRAMP (The Federal Risk and Authorization Management Program) is a U.S. government program that describes an approach to security assessments, authorization, and continuous monitoring for the U.S. Government use of commercial and U.S. Government operated cloud products and services.
There are four (4) civilian agency authorization baselines (High, Moderate, Low, LI SaaS) with a total of up to 421 controls for the high baseline and four (4) authorization baselines for DoD cloud system Information Impact Levels (ILs) – IL 2 Public, IL 4 Controlled Unclassified Information (CUI), IL-5 highly Sensitive CUI and IL-6 Classified Secret . “What is FedRAMP?” covers these levels in more depth, with the exception of the DoD Cloud requiremetns, which will be covered in an upcoming article.
In order for any cloud service offering (CSO) to be used by a federal agency, the cloud service providers (CSP) must demonstrate FedRAMP controls and continuous monitoring (ConMon) processes are in place and being maintained. The FedRAMP Program Management Office’s (PMO’s) Test Case Templates and documented guidance address the applicable controls and ConMon processes.
Basically: All CSO or CSP working with the federal government must demonstrate FedRAMP compliance by obtaining a FedRAMP authorization, a.k.a. FedRAMP Authority to Operate (ATO).
Is your organization seeking a FedRAMP ATO?
Reach out to an NCC Group FedRAMP expert to determine your next steps
Benefits for FedRAMP CSPs
Gaining a FedRAMP certification is an expensive endeavor: in 2017, a study by another 3PAO estimated that CSPs working with a Third Party Assessment Organization (3PAO) costs $250,000 to $350,000 on average. But there are undeniably lucrative benefits for FedRAMP authorized CSPs.
Placement on the FedRAMP Marketplace.
Perhaps most notably, CSPs that achieve t the FedRAMP Ready designation (through 3PAO FedRAMP readiness assessment report or RAR) are listed on the FedRAMP Marketplace. Federal agencies use the marketplace to research services that meet their organization’s requirements; if a CSP is interested in pursuing government clients, even this pre-FedRAMP certification step can be an effective way to provide valuable information about your organization’s service offerings to potential customers.
The Best Customer.
The US government is the single largest buyerof goods and services in the world, and due to the sheer size of its agencies, it’s a reliable customer. Even during economic downturns, which signal private-sector decline, the public sector remains stable.
Priority is the Cloud.
Moreover, the US government is “cloud first,” which is a literal directive from the White House to “evaluate safe, secure, Cloud Computing options before making any new investments.”
“Do once, use many times”.
Unlike the FISMA standard, which requires organizations to seek an ATO from each individual agency, a FedRAMP ATO qualifies CSPs to work with any federal agency.
Making other audits simpler.
The FedRAMP certification process is arduous. But the controls are based on NIST 800-53, the basis for numerous security standards, including HIPAA, DFARS and CJIS.
Levels the playing field during acquisition.
FedRAMP authorization provides an easy way for CSPs to articulate their security posture and make it easy for government procurement personnel to ensure all suppliers are providing the same level of security.
How Can My Organization Achieve a FedRAMP ATO and Maintain Compliance?
There are two paths to demonstrate FedRAMP compliance which requires a CSP to obtain a FedRAMP authorization (ATO). The first is to obtain a FedRAMP ATO directly from a federal agency, and the second is to receive a FedRAMP P-ATO from the JAB (The Joint Authorization Board), which is the primary governance and decision-making body for the FedRAMP program. More on that in a later article in this series.
Today, over 150+ agencies are supporting the FedRAMP Program and over 220 CSPs have had their systems authorized.
How Long Does It Take to Get a FedRAMP ATO?
This is a bit of a trick question and dependent on your level of experience with FedRAMP and the path you take to achieve your ATO. There are three main pieces to your ATO journey that will impact how long your authorization might take. In addition, your timeline will be impacted by the authorization process you follow (JAB or Agency Sponsor) and the level you are pursuing. We recommend breaking your timeline into 4 main areas:
- Readiness Review. Required for JAB authorization and often recommended for agency ATO preparation - estimated to take between 1 month to complete.
- Remediation. This is difficult to estimate because every business is different. In most cases companies will need between 4 to 6 months or more before they are ready (based on commitment to obtain an ATO.
- Full Security Assessment. This is when a 3PAO will perform an independent assessment of your security controls and in depth security test and vulnerability scans. This process can take between 2-4 months to complete depending on your resourcing and commitment to obtaining an ATO.
- Authorization Process. This is when you work with the JAB or agency/FedRAMP PMO to review your authorization package and receive an ATO. This process can take between 2 and 3 months or more depending on creating a regular and open communications and relationship with the JAB your agency and the accuracy and completeness of your full authorization package.