FedRAMP (the Federal Risk and Authorization Management Program) is the program used to evaluate and authorize cloud service providers (CSPs) service offerings the opportunity obtain direct contracts with federal government agencies. FedRAMP is an in-depth and rigorous process for ensuring adequate and required security posture of cloud service offerings (CSOs).
In the eyes of the guys who wrote it, “FedRAMP enables Agencies to rapidly adapt from old, insecure legacy IT to mission-enabling, secure, and cost effective cloud-based IT.” Essentially, Agencies want to become mobile and nimble, without compromising security.
How is FedRAMP designed to manage government cyber security risk?
The amount of sensitive data going in and out of the U.S. Federal Government’s offices and devices on a daily basis clearly calls for a higher level of assurance than most industries. As an extension of FISMA, the U.S Federal Government had to enact stricter parameters for the service providers they choose to work with. Thus, FedRAMP was established in 2012 and is managed by the U.S. General Services Administration.
FedRAMP is a government program that standardizes the approach for assessing, authorizing, and monitoring CSPs, instituted in response to the increasing number of Federal Agencies adopting cloud solutions and choosing to work with CSPs, effectively helping to reduce cloud-based infrastructure and application cybersecurity risks.
More specifically, the program determines which CSOs can be used by agencies using a combination of implementation of security and privacy controls (the precise number of which depends on the system impact level) to evaluate a CSO’s the level of compliance with NIST SP 800-53 rev 4 and Federally-mandated controls along with security posture for both internally and externally facing attack surfaces. This process is required to be met before a CSP can be considered for an Authorization to Operate (ATO) by either the FedRAMP Joint Authorization Board (JAB) or government agencies /Department of Defense (DoD).
The FedRAMP Program Management Office (PMO) has established the following goals:
- Accelerate the adoption of secure cloud solutions through reuse of assessments and authorizations
- Improve confidence in the security cloud solutions and security assessments
- Achieve consistent security authorizations using a baseline set of agreed-upon standards for cloud product approval in or outside of FedRAMP
- Ensure consistent application of existing security practices
- Increase automation and near real-time data for continuous monitoring
What is FedRAMP compliance?
For starters, FedRAMP is not a certification but an authorization. An organization that successfully goes through the FedRAMP process will obtain an ATO either from the FedRAMP JAB or a sponsoring/partnering U.S. Government Agency. (The word certification is being used in this blog to help differentiate between industry certifications (e.g., ISO/IEC 2700X, SOC) and a FedRAMP authorization.)
The number of compliance requirements that CSO’s are mandated to meet are driven by the Federal Information Security Modernization Act of 2014 (Pubic Law 113–283) – FISMA and respective memorandums from the Office of Management and Budget.
Other U.S. Federal mandates implementation guidance are specified by several U.S. Government agencies:
- National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) and Special Publications (SPs)
- Department of Homeland Security (DHS) Binding Operating Directives (BODs), Homeland Security Presidential Directives (outline the rigorous set of controls intended to protect federal information and are supplemented with additional guidance from the FedRAMP Program Management Office (PMO)
The levels of CSP Authorizations
CSOs are categorized into system impact levels that are the basis for NIST SP 800-53 rev 4 control selection, application of specific federally mandated requirements and levels of technical testing required for ATO consideration. Each Impact Level is determined by the potential impact that information might have on the agency’s ability to “conduct its mission”.
DoD Impact Level 1 + 2. (Low Impact Level)
For Civilian U.S. Government (USG) with regard to Non-Controlled Unclassified Information. Information is low “watermark” for confidentiality, integrity, and availability of agency information not designated as Controlled Unclassified Information (CUI) or critical for USG Agency mission(s). For DoD CSOs, Level 1 is no longer used and has been merged with Level 2, which includes all data cleared for public release (i.e., as well as some low confidentiality unclassified information not designated as Controlled Unclassified Information (CUI) or critical military/contingency operations mission data, but the information requires some minimal level of access control (e.g., user ID and password).
DoD Impact Level 3 + 4 (Moderate Impact)
This level covers around 80% of CSOs (e.g., IaaS, PaaS, SaaS) where a loss of confidentiality, integrity, and availability Civilian USG agency could cause serious to catastrophic impact on their agency. Damages at this level may include operational disruption, monetary loss, and non-physical harm. For the DoD CSOs, Level 3 is no longer used and has been merged with IL 4 Controlled Unclassified Information. Level 4 accommodates CUI and/or other mission critical data to include that used in direct support of military or contingency operations. Of particular note, IL-4 addresses those systems that store, process, and transmit:
- Export Controlled information (both International Traffic in Arms Regulations (ITAR) and Export Administration Regulations EAR).
- Privacy Information
- Protected Health Information (PHI/ePHI)
- Other information requiring explicit CUI designation
DoD Impact Level 5 (FedRAMP+)
This level adds an additional controls as required by the USG agencies or FedRAMP JAB. For DoD Commercial IL 5, CSP/CSO customers include all Federal Government customers (Federal Agencies only) which includes DoD Components and certain DoD contractors operating a DoD system for the benefit of the DoD. NSS accommodates NSS and CUI information categorizations based on CNSSI-1253 up to moderate confidentiality and moderate integrity (M-M-x).
DoD Impact Level 6 (High Impact)
This level is most appropriate for CSOs that handle high-risk systems (e.g., defense, intelligence, healthcare, finance, emergency services, law enforcement systems). Breaches are considered catastrophic, resulting in financial loss, shutting down operations, putting intellectual property or lives at risk.
DoD IL 6 is for systems processing, storing, and transmitting Classified Information up to SECRET. Level 6 CSOs may support a Federal Government Community or a DoD only community (i.e., the CSO is DoD Private). Due to the requirement that the entire CSO infrastructure be dedicated and separate from other CSP/CSO infrastructure, Level 6 CSOs may only be provided by CSPs under contract to the DoD or a Federal Agency. In this sense, the CSO is not considered “commercial.”
Should my organization pursue FedRAMP Authorization?
FedRAMP authorizations are tough to get because they involve both dedication of resources and a number of key players within the FedRAMP authorization process. It’s important to understand your company and CSOs’ preparedness beforehand.
Here are a few things to consider before beginning your FedRAMP journey:
- Does the federal government have a genuine need for your product? How do you know? Are you confident they’ll buy it?
- Are you willing to invest in a comprehensive sales strategy aimed at the public sector, including hiring a specialized sales staff?
- Is your organization prepared for the significant amount dedicated resources of time the authorization process and on-going continuous monitoring will take?
- Can you afford the costs of organization-wide optimization? Do you have buy-in from everyone within your business?
The case for pursuing FedRAMP is strong—millions of dollars in sales and revenue are in the balance for organizations that successfully obtain a FedRAMP ATO and listing on the FedRAMP Marketplace. Several companies that have achieved FedRAMP authorizations have considered this to be a game changer for their organization and how they grow into the future.
MSM Group. “Gaining FedRAMP certification paid off in July, when NASA Langley awarded MSM a $5.5 million contract to deploy iSite centerwide”.
Splunk. “Our FedRAMP authorization serves as further validation of Splunk’s commitment to our public sector customers and our ability to power digital transformation across the government”. “Thousands of public sector organizations worldwide are leveraging the Splunk Data-to-everything platform, including all three branches of the U.S. government and 15 cabinet-level departments.”
Rescale. “Until now, high performance computing in the cloud has been inaccessible for all Federal Agencies and many research institutions because cloud products and services cannot be adopted without FedRAMP status.” “The National Renewable Energy Lab (NREL), a division of the U.S. Department of Energy (DOE), co-sponsored the FedRAMP application with Rescale, to accelerate its energy efficiency and exploration research.
1901 Group. “1901 Group announced it has been awarded a Call order by the Federal Trade Commission… a potential value of $50,900,000 over a 9-year period”. “1901 Group will leverage its FedRAMP authorized managed services and cloud expertise to help FTC transition.”
Want to learn more about FedRAMP?
The FedRAMP authorization process is a long and complex journey, but getting through is critical for commercial organizations who want to provide any sort of cloud-based product or service to federal agencies. Working with a 3rd Party Assessor Organization (3PAO) as your advisor can help you simplify and streamline the process to achieve authorization. Read on about achieving a FedRAMP ATO, or get in touch with an NCC Group Risk Management & Governance expert.