What is the Federal Risk and Authorization Management Program (FedRAMP)?
FedRAMP derived from the Cloud First policy, created in 2010 by the U.S. Office of Management and Budget with the intent to improve efficiency in government service. Through cloud computing, federal agencies consolidate and provision new services faster while at the same time reducing information technology costs. Cloud computing also enables efficiencies for services to citizens and offers stronger cyber security safeguards than what is possible using traditional IT methods.
Cloud First puts Cloud Service Providers (CSPs) in a position of significant opportunity. However, adoption of the cloud also comes with ensuring a secure and trustworthy environment, which is where FedRAMP steps in. FedRAMP defines requirements for CSP security controls, including vulnerability scanning, incident monitoring, logging, and reporting. June 2014 was the deadline for CSPs in use at federal agencies or CSPs in acquisition for meeting federal cloud computing requirements (e.g., FedRAMP).
FedRAMP has dual primary goals to improve the government’s transition to cloud-based services:
- Develop a standard, risk-based security framework to improve the conformity, security, and clarity of cloud security authorization documentation, mitigating agency data risk exposure
- Encourage the sharing of documentation, information, and testing across the government to improve efficiency and reduce assessment and authorization costs.
Independent assessors (i.e., 3PAOs) play a critical role in the FedRAMP security assessment process. An independent assessor verifies CSP security implementations and provides the risk posture of a cloud environment for a security authorization decision. These assessment organizations must demonstrate independence and the technical competence required to test security implementations and collect representative evidence. Independent assessors:
- Plan and perform security assessments of CSP systems
- Review security package artifacts in accordance with FedRAMP requirements
The Security Assessment Report (SAR) created by the assessor is a key deliverable for agencies to use FedRAMP security assessment packages.
FedRAMP was a collaboration between the National Institute of Standards and Technology (NIST), General Services Administration (GSA), Department of Defense (DOD), and Department of Homeland Security (DHS).
See a one stop source for FedRAMP at https://www.fedramp.gov.
FedRAMP – The Process
FedRAMP utilizes a “do once, use many times” approach designed to reduce the cost of compliance versus requesting assessments each time an agency initiates a CSP acquisition.
FedRAMP is compliant with the Federal Information Security Management Act (FISMA) of 2002 and leverages the National Institution of Standards and Technology (NIST) baseline controls and framework for risk management. FedRAMP risk management encompasses four processes in the security assessment framework (SAF):
- Categorize the system – The CSP determines its risk impact (Low, Moderate, or High) based upon the FIPS 199 template. Note: Currently, FedRAMP does not apply to high-risk impact systems. However, guidance is available for high-risk impact systems.
- Select and implement security controls – The CSP will select NIST baseline security controls based on its system categorization. For any control not achieved, the CSP must justify its position for not implementing the control.
- Create a System Security Plan (SSP) – The CSP documents the details of the above steps in an SSP for review. The SSP describes the security authorization boundary, how the implementation addresses each required control, roles and responsibilities, and expected behavior of individuals with system access. Every security package must include an SSP for review.
- Supplemental documents for submission: Supplemental documents include Security Policies, Privacy Analysis, e-Authentication Worksheet, User Guide, Rules of Behavior, IT Contingency Plan, Configuration Management Plan, Control Information Summary (CIS), Incident Response Plan, and Privacy Impact Assessment (if applicable).
- Security assessment plan (SAP) – CSPs must use an independent assessor to test the controls as documented in the SSP. This assessment starts with documenting the SAP developed by an independent assessor. Authorizing officials must approve the SAP.
- Perform security testing – The independent assessor performs testing in accordance with the SAP. Testing includes completion of FedRAMP control test cases, penetration testing, configuration scans, and authenticated vulnerability scans of the CSP system.
- Security assessment report (SAR) – The independent assessor prepares a report using FedRAMP templates. The SAR contains information about vulnerabilities, threats, and risks discovered during the testing process. The SAR also contains guidance for CSPs in mitigating the security weaknesses found. Authorizing officials review the SAR.
- Plan of action and milestones (POA&M) – The CSP must address vulnerabilities noted in the SAR and demonstrate a plan for correcting weaknesses. The POA&M serves as a tracking system for the CSP.
- Authorization – The CSP submits all documents noted above, including the SAR and POA&M. Authorizing officials review the entire package and make a risk-based decision on authorization.
- Authorization letter – The formalized decision is documented through an authority to operate (ATO) letter from authorizing officials to the CSP and the FedRAMP project management office. The CSP is then added to the authorizing list of CSPs at www.fedramp.gov.
- Operational visibility – This includes periodic submission of control artifacts and an annual re-assessment. The re-assessment is completed by an independent assessor.
- Change control – The CSP must notify authorizing officials of changes that might impact the ability to meet FedRAMP requirements.
- Incident response – As documented in the SSP, the CSP must have incident response plans in place for all compliant FedRAMP systems. Severe incidents may initiate a review of the CSPs authorization. Failure to report incidents may also trigger a review.
Where to Start?
Don’t go it alone through the FedRAMP process. It is important to communicate early and often with your 3PAO and a firm who can prepare your organization the nuances of FedRAMP. Begin with a pre-assessment.
At Barr Assurance & Advisory, our service delivery team can guide you through the FedRAMP process and answer any questions you may have. Contact us today for more information.