What is FedRAMP?
Cybersecurity concerns can reach high levels of national security especially if they pertain to the federal government. Past data breaches like the recent SolarWinds hack have proven it’s important for the federal government to set cybersecurity standards for government contractors. One critical aspect of government networks is cloud services. In Fiscal Year 2020, federal agencies spent over $6 billion on cloud computing, making it an important part of federal procurement. All Cloud Service Providers selling to the federal government must meet proven security standards established through FedRAMP.
The Federal Risk and Authorization Management Program (FedRAMP) is a governmentwide program that provides a common framework approach to security analysis and assessment, permissions, and uninterrupted monitoring for the cloud.
FedRAMP forms a collaboration linking the federal government and contracting industry together to update the Information Technology (IT) infrastructure while defending federal data. Let’s breakdown what you need to know about this program.
What is FedRAMP?
The objective of FedRAMP is to create a reliable high level of protection for federal data in the cloud. The cloud offers an extensive array of services supplied on demand over the internet for easy entry to applications and resources.
FedRAMP was developed by partnerships with cybersecurity and cloud experts from the General Services Administration (GSA), National Institute of Standards and Technology (NIST), Department of Homeland Security (DHS), Department of Defense (DoD), Office of Management and Budget (OMB), the Federal Chief Information Officer (CIO) Council, National Security Agency (NSA), and the private sector.
FedRAMP compliance is required in multiple government Requests for Information (RFIs), Requests for Quotes (RFQs), and Requests for Proposals (RFPs). There are 14 applicable laws that include responsibilities for maintaining records, sharing personal data, and safeguarding against and responding to breaches.
In addition, there are 19 standards and guidance documents sourced by NIST, Federal Trade Commission, National Archives, and the Federal Deposit Insurance Corporation (FDIC). FedRAMP replaced outdated software solutions and created a meticulous software-as-a-service (SaaS) certification.
FedRAMP Objectives and Advantages
FedRAMP has several objectives for GSA contractors including:
- Fast-track the security approval
- Improve assurance in cloud security and security assessments
- Attain uniform security authorization baseline using approved NIST standards
- Certify dependable application of current security system
The advantages of using FedRAMP include:
- Spread the re-use approach of effective IT security risk assessments throughout government
- Cost efficient for budgets and resources
- Enhance existing security outlook
- Support standard method for cybersecurity risks
These bring us to our next question – why should you get FedRAMP certified?
Why Should You Get FedRAMP Certified?
Prior to FedRAMP, suppliers had to meet various security requirements for each individual government agency. FedRAMP removes this conventional process by providing a common security framework making it conceivable for government and cloud service providers to reuse authorizations.
The FedRAMP approach is a “do once, use many times” framework that conserves government budget, and in addition, saves staff time that is essential to manage different government agencies security evaluations.
Now, government agencies can review a standardized set of security materials against one common reference point. A cloud service offering is approved one time afterward the security platform can be used by any agency.
How Do I Earn FedRAMP Authorization?
There are 3 ways to earn FedRAMP Authorization – via Joint Authorization Board P-ATO (JAB P-ATO), a FedRAMP Agency ATO, or working independently for a FedRAMP compliant package.
To do work with a government agency, a Cloud Service Provider (CSP) will need to determine which FedRAMP authorization direction to take.
For more information on CSP Roles and Responsibilities, FedRAMP has a helpful graphic you can reference.
Phases of the FedRAMP Process
There are generally 3 phases to either process:
- Preparation/Security Assessment
- Continuous monitoring
Phase 1 – Preparation
The CSP gets ready to undergo the authorization process by making any required technical and procedural modifications to meet federal security requirements and organize the security deliverables required for authorization.
In addition, a Third-Party Assessment Organization (3PAO) will need to conduct an impartial audit of the system.
Phase 2 – Leveraging and Authorization
The agency authorization would conduct a security package review, accepts risk, and issue an (Authorization to Operate) ATO. The ATO will be based on the agency’s risk tolerance.
The JAB would evaluate the CSP’s security package and issues a P-ATO for the cloud service.
These security packages, either certified through the JAB or an agency are available within the secure FedRAMP repository for agencies to review, perform a risk analysis, and re-use.
Phase 3 – Continuous Monitoring/Ongoing Assessment & Authorization
All CSPs must conduct:
- An annual assessment
- Monthly susceptibility scans
- Threat reporting
- Irregular & substantial change requests
Continuous monitoring is mandatory for both the agency and JAB authorizations.
FedRAMP streamlines data security for the information age by providing a consistent method for cybersecurity for cloud services. FedRAMP authorized solutions include:
- Continuous monitoring
- Vulnerability scanning
- Malicious activity detection
- IP white listing
- Network security incident plan
- Security audit trail
The entire operation system including infrastructure, platform, and software, need to be FedRAMP authorized to be compliant based on NIST SP 800-53 Revision 4.
For more information, you can review the FedRAMP Agency Authorization Playbook.
The FedRAMP Marketplace
Once a cloud service offering passes into the authorization phase, it can be included in the FedRAMP marketplace.
The marketplace is a directory of FedRAMP authorized service offerings where you can search by provider or product through the database available for government agency use.
There are 3 designations that a cloud service offering can be listed as:
- In process
FedRAMP Ready is a designation that a 3PAO verifies CSPs security capabilities and a Readiness Assessment Report has been reviewed and deemed acceptable by FedRAMP.
FedRAMP In Process is a designation that the CSP is in the process working toward a FedRAMP Authorization and has achieved at least one requirement.
FedRAMP Authorized is the designation that confirms the successful completion of the FedRAMP Authorization process.
Accredited auditors are listed in the FedRAMP Marketplace that can conduct the FedRAMP assessment.
Upcoming Changes to FedRAMP
The House of Representatives passed legislation on January 5th, 2021 that will streamline and improve the FedRAMP process. The FedRAMP Authorization Act addresses many concerns, attempts to reduce duplication, automate the certification process, and establishes a Federal Secure Cloud Advisory Committee.
Cybersecurity has been a hot topic in the past few years, but this year especially as government agencies investigate the massive breach through SolarWinds’ network. As the federal government tries to make sense of this hack and comes up with a plan to strengthen network security across the board, cybersecurity requirements will inevitably change. Therefore, it’s important to stay up to date on any government contractor regulations.
To keep up with government contracting news and insights be sure to subscribe to our blog and our monthly newsletter. If you have any questions about the FedRAMP processes or certification, or any other GSA Schedule contract requirements, one of our consultants would be happy to help you.
About Leslie Crowley
Leslie Crowley is an Account Manager for Winvale’s Public Sector Technology department where she manages partner accounts under Winvale’s GSA MAS Large Category F contract. Leslie has vast experience building new business, securing customer loyalty, and forging strong relationships with external business partners.