The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide “cloud policy” first issued in February 2011. For a cloud service provider (CSP), or cloud service offering (CSO), to be used by a federal agency the cloud service provider must first demonstrate FedRAMP compliance.
FedRAMP requirements are selected from the NIST SP 800-53 Revision 4 baseline controls, with additional control enhancements and guidance for cloud services. These control enhancements address the unique elements of cloud computing to ensure all federal data is, and remains, secure in cloud environments.
There are two distinct ways to demonstrate FedRAMP compliance or obtain a FedRAMP Authority to Operate (ATO). The primary difference between an Agency FedRAMP ATO and a JAB P-ATO is the scope of the authorization, or ATO:
Obtain a FedRAMP ATO directly from a federal agency.
“An agency FedRAMP ATO is applicable to that agency only; having an Agency FedRAMP ATO does not mean that other agencies are authorized to use that CSO. Once an agency FedRAMP ATO is obtained, any subsequent federal agency can leverage the initial authorization package in support of issuing their own FedRAMP ATO for their agency, but the security assessment must be evaluated against the agency’s own distinct risk profile. Most FedRAMP authorizations follow the agency ATO path.” (1)
Receive a FedRAMP Provisional Authority to Operate (P-ATO) from the Joint Authorization Board (JAB)
“The JAB cannot accept risk for any federal agency. Therefore, the ATO issued by the JAB is provisional meaning that the risk posture of the CSO has been reviewed and approved by the JAB, but each federal agency is still responsible for issuing an agency ATO demonstrating their acceptance of risk regarding the use of a particular CSO. Since a JAB P-ATO essentially represents the most stringent of FedRAMP authorizations, additional security testing is often not required before a federal agency issues their own ATO.” (1)
Accelerate the process
Cloud Service Providers (CSP) need to implement the appropriate security controls to prepare for a FedRAMP ATO. This starts by categorizing their solution in accordance with FIPS-199. The categorization of Low, Moderate, or High impact levels will determine the associated NIST 800-53 controls along with the FedRAMP requirements. Ideally the implementation of a solution, such as SD Elements, will automate the mapping of all applicable controls – based on the baseline impact level (Low, Moderate, High) – and accelerate the path towards ATO.
All agencies must also report their compliance with FedRAMP on a quarterly basis, via PortfolioStat. This includes ensuring that the controls that were put in place continue to be adhered to. Monthly vulnerability scans must also be executed against the appropriate hardware stacks and applications. Ideally an automated solution provides reporting that documents continuous compliance monitoring against all FedRAMP controls.
The Go-Forward benefits of compliance
FedRAMP compliance is designed to follow the government’s goal of “do once, use multiple times”. Meaning, once an organization obtains an ATO or P-ATO this authorization can be leveraged by additional federal agencies.
Take our newest (free!) training course to learn more about the ATO process in a fast-moving Agile world:
To learn more about FedRAMP click here: https://www.fedramp.gov/faqs/