As a government agency, there are many advantages to being able to tap into cloud technologies. From eliminating time-consuming manual tasks and reducing paperwork, cloud technologies offer a spectrum of efficient and effective improvements over traditional methods. Plus, software as a service (SaaS) subscription-based models can help reduce annual information technology costs.<\/p>\n
To implement these technologies, however, you\u2019ll need to comply with the Federal Risk and Authorization Management Program known as \u00a0FedRAMP provides a standardized approach for assessing and complying with government security controls, authorizing cloud products and services, and proving continuous monitoring of systems. It’s managed by the FedRAMP Program Management Office (PMO).<\/p>\n
FedRAMP authorization can seem daunting, but if you have the right resources and preparation in place, the process can be streamlined and simplified. In fact, there\u2019s a lot less for a Federal agency to do than you might think. The burden is predominantly on the cloud service provider (CSP) whose services you wish to use and its independent assessor over your team and internal resources.<\/p>\n
There are several common myths, misconceptions, and questions about FedRAMP requirements and processes \u2013 and a few benefits to understand given the investment and effort of the program.<\/p>\n
To help clarify, we spoke with expert James Masella<\/a>, Vice President of Compliance Advisory Services, at Coalfire<\/a> \u2013 a leading provider of IT security assessments for many security standards and payments frameworks and programs, including FedRAMP support.<\/p>\n Masella has been working in IT for 20 years \u2013 15 of them focused on security assessments for Federal controls, most prominently, helping organizations comply with National Institute of Standards and Technology (NIST) cybersecurity controls<\/a>. Over his career, Masella has accomplished over 70 FedRAMP compliance and assessment projects \u2013 and has been working on them since the program\u2019s infancy in 2015. He\u2019s been with Coalfire for eight years.<\/p>\n If you\u2019re evaluating cloud technologies, such as a workplace and asset maintenance platform<\/a>, it helps to have a background in the evolution of FedRAMP since there are many different cybersecurity compliance and controls to manage. In fact, the program was created specifically with this knowledge. The entire goal of FedRAMP is to accelerate the adoption of secure cloud solutions in the Federal government.<\/p>\n It streamlines the authorization process for CSPs and improves confidence in the security of cloud solutions. FedRAMP was created by the General Services Administration (GSA) in partnership with the US Department of Defense (DoD) and NIST.<\/p>\n \u201cThe big problem that FedRAMP was meant to solve was the Federal government knew it needed to modernize its IT infrastructure because their model was not sustainable,\u201d explains Masella. \u201cCommercial cloud services were a lot more affordable than the way much of the government manages IT infrastructure and provided better services.\u201d<\/p>\n The challenge is having assurance that the security of those commercial cloud services is meeting the requirements for the Federal government. And under the Federal Information Security Modernization Act (FISMA), every federal agency can implement its own security plan if it follows the guidelines of the law \u2013 which also include audits and independent assessments.<\/p>\n FedRAMP pulls that all under one umbrella and allows all Federal agencies to leverage independent assessors to reduce duplicate effort within audit and assessment work. But FedRAMP is not a certification \u2013 it\u2019s a compliance framework within a Federal program that an organization is either authorized to be a part of or not.<\/p>\n \u201cFedRAMP is a different animal,\u201d says Masella. \u201cYou actually are building an information system for Federal government use and the government is authorizing that system for use for Federal data.”<\/p>\n Any vendor who has gone through an extensive audit process can be listed in the FedRAMP marketplace<\/a>, so Federal agencies can easily find and procure services without having to do additional research or due diligence. It makes it easier for departments, such as the Department of Homeland Security (DHS), DoD, or healthcare organizations including the Centers for Medicare & Medicaid Services (CMS) to purchase products from vetted vendors quickly while reducing costs associated with IT resources.<\/p>\n The good news is there are over 300 authorizations on the FedRAMP marketplace today, and some of them are large, some are small. They’ve all solved many of the challenges and issues already, relays Masella.<\/p>\n The PMO is responsible for managing documents, such as policies, procedures, standards, guidance documents, templates, checklists, etc., which are used throughout all stages of authorization. The FedRAMP Joint Authorization Board<\/a> (JAB) reviews all provisional Authority to Operate (ATO) packages before they are authorized.<\/p>\n The 3PAOs \u2013 Third Party Assessment Organizations \u2013 conduct independent security assessments for agencies before issuing a Provisional ATO. These 3PAOs assess each system\u2019s compliance with NIST 800-53 standards, as well as other requirements specified by each agency or department at four different Impact Levels ranging from Low to High. Coalfire is an example of a 3PAO.<\/p>\n \u201cIn the case where a CSP has engaged an advisor, the advisor entities are doing all of the work,\u201d says Matella. \u201cThe [government] agency just has their due diligence under the law to review the risk. That’s it. It’s the same thing they would have to do if they were the second agency or the last agency or the agency in the middle. There is no difference.\u201d<\/p>\n The heavy lift and burden are accomplished by the 3PAOs and the cloud service provider.<\/p>\n Depending on the risk associated with a particular service, organizations must demonstrate their commitment to security to gain authorization from the JAB. The requirements range from basic NIST 800-53 Rev 4 controls at Low Impact Level (Level 1) all the way up to DHS Risk Management Framework regulations and additional physical protection measures at High Impact Level (Level 3).<\/p>\n Once a Provisional Authority to Operate (PATO) has been granted, it is valid for three years, however organizations are expected to continuously monitor their systems and update any changes made since initial authorization was granted.<\/p>\n If this is the first time you are dealing with FedRAMP, it\u2019s important to understand some of the most common issues that can arise. Many of these will be the burden of the CSP you wish to use \u2013 but it\u2019s better to know what they are upfront.<\/p>\n First, it\u2019s important to communicate to the CSP your specific agency\u2019s policies on who can access information. Some hurdles involve the standards and requirements themselves, relays Matella. These include technology and process compliance areas, such as validated encryption, requirements of internal flows, and connections to external services \u2014 they all must be FedRAMP authorized.<\/p>\n \u201cIn many cases, it’s not a Fed RAMP requirement, but it can be a requirement from agencies that only US persons or US citizens can actually access the production environments,\u201d he says. \u201cAnd many of these commercial cloud services are supported by offshore support and many have a \u2018follow the sun\u2019 (operational) model.\u201d<\/p>\n As Masella points out, these issues have been dealt with before by other agencies and CSPs, but it\u2019s one that needs to be addressed and understood from the outset.<\/p>\n Secondly, CSPs themselves may think they know compliance, but it can be more work than they know. Many IT leaders assume they have the expertise in-house to handle FedRAMP since they already have an internal security team. Just because they have a robust engineering team, it doesn\u2019t mean it\u2019s going to be easy to architect a system to meet FedRAMP requirements.<\/p>\n \u201cMany times, the engineering teams are great at designing infrastructure and applications, but once you take away a lot of the tools that they have been using or you have to implement some new measures that they didn’t have to have before, this can complicate things,\u201d says Masella.<\/p>\n For example, perhaps a CSP doesn\u2019t perform vulnerability scanning internally or they don\u2019t do file integrity management today and must implement and use it. Now they’re having to decide on new tool sets \u2013 which take time to evaluate and get up to speed.<\/p>\n The other problem area Masella sees a lot is not having the business case worked out and detailed enough for the investment. If the CSP hasn’t done enough market research, they can easily get derailed.<\/p>\n \u201c[A CSP] might not be able to get that first initial authorizing agency, might not get on the marketplace, might start the investment and it begins to get pretty big, and the return-on-investment case might not be there,\u201d says Masella.<\/p>\n The best guidance is for the CSP to work with an experienced, third-party FedRAMP advisor preparation provider. And as he points out, many of the challenges and pitfalls can be avoided since much of it has been sorted out already. Getting this kind of information upfront will help you speed up your FedRAMP authorization process overall.<\/p>\n <\/p>\n <\/p>\n <\/p>\n FedRAMP helps government agencies like yours make sure your data remains secure while reducing duplication when purchasing compliant offerings in the approved marketplace<\/a>. It also provides assurance that any cloud solution used meets pre-defined security requirements, so that you can have peace of mind knowing your data is being always kept safe and secure.<\/p>\n After you go through the FedRAMP process for the first time, it will open up the door to a world of new and evolving cloud technologies forever.<\/p>\n <\/p>\nWhat is FedRAMP?<\/h2>\n
Delineation of work under FedRAMP: Who is responsible and for what?<\/h2>\n
The requirements for FedRAMP compliance<\/h2>\n
Preparing for FedRAMP: What you need to know<\/h2>\n
FedRAMP checklist<\/h2>\n
Common FedRAMP questions<\/h3>\n
\n
Common FedRAMP misconceptions<\/h3>\n
\n
\n\n
\n FedRAMP Questions \/ Misconceptions<\/td>\n Answers<\/td>\n<\/tr>\n \n Is FedRAMP a certification?<\/td>\n No, it\u2019s a program. You use a compliance framework, audits, assessments to be authorized to be within FedRAMP.<\/td>\n<\/tr>\n \n How long should it take to finish the FedRAMP process?<\/td>\n It depends. Very fast is 90 days. Most common is 9 to 12 months depending on prioritization and changes needed.<\/td>\n<\/tr>\n \n What should be prioritized first when seeking FedRAMP authorization?<\/td>\n Gaps between FedRAMP framework and your current state of compliance.<\/td>\n<\/tr>\n \n Can artificial intelligence help speed up the process?<\/td>\n AI has a significant role to play in automating the creation and review of documentation packages which could speed up the process and increase the number of services in the marketplace, but it\u2019s not in widespread use yet.<\/td>\n<\/tr>\n \n Our Federal agency will have to do a heavy lift.<\/td>\n Actually, the CSP we want to use and its 3PAO will do the bulk of the technology and process compliance. Our agency will perform due diligence on risk under the law.<\/td>\n<\/tr>\n \n The CSPs engineering team work on security compliance already, so FedRAMP work should be easy.<\/td>\n This is the most common pitfall: A large engineering team does not mean you will easily meet FedRAMP requirements.<\/td>\n<\/tr>\n \n FedRAMP takes a lot longer than it should.<\/td>\n Preparation with CSPs and independent guidance will help speed up the process. Know your specific agency information access policies and communicate them upfront to CSPs. Encourage CSPs to work with a 3PAO.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n