Established by The United States Office of Management and Budget (OMB) in 2012, the Federal Risk and Authorization Management Program, known as FedRAMP, is one of the federal government’s most rigorous security compliance frameworks. FedRAMP uses the NIST SP 800-53 standard as a security baseline.
FedRAMP enables the federal government to accelerate the adoption of cloud computing by creating transparent standards and processes for security authorizations. It provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. Thereby, delivering a cost-effective and risk-based approach for government agencies to adopt and use of cloud services.
1. Joint Authorization Board (JAB)
JAB is the primary governance and decision-making body for FedRAMP. Its members include the chief information officers (CIOs) from the Department of Defense, Department of Homeland Security, and General Services Administration.
2. Program Management Office (PMO)
Resides within GSA and supports agencies and cloud service providers through the FedRAMP authorization process. PMO also maintains a secure repository of FedRAMP authorizations to enable reuse of security packages.
What is FedRAMP Marketplace?
The FedRAMP Marketplace is maintained by the FedRAMP Program Management Office (PMO). It serves as a database of Cloud Service Offerings (CSOs) that have achieved a FedRAMP designation and Accredited Auditors (known as 3PAOs) that can perform the FedRAMP assessment.
ControlCase is a FedRAMP Third Party Assessment Organization (3PAO). The 3PAO status qualifies ControlCase to assist cloud providers in achieving FedRAMP compliance and verifies that ControlCase has the technical competence required by FedRAMP to assist cloud providers in achieving FedRAMP certification.
Who does FedRAMP Apply to?
Any cloud services that hold federal data must be FedRAMP Authorized.
FedRAMP prescribes the security requirements and processes cloud service providers must follow for the government to use their service.
How hard is it to get FedRAMP Certified?
There are two types of FedRAMP authorizations: a Provisional Authority to Operate (P-ATO) from the Joint Authorization Board (JAB) and an Agency Authority to Operate (ATO).
1. PROVISIONAL AUTHORITY TO OPERATE (FedRAMP P-ATO)
• Issued by the Joint Authorization Board.
• Prioritizes authorizing cloud services that will be widely used across government.
• CIOs of DoD, DHS and GSA must agree that the CSP meets all controls and presents an acceptable risk posture for use across the federal government.
• Conveys a baseline level of likely acceptability for government-wide use.
• CSPs must use an accredited Third-Party Assessor Organization (3PAO).
• FedRAMP PMO manages continuous monitoring activities.
2. AGENCY AUTHORITY TO OPERATE (FedRAMP ATO)
• Issued by the agency only.
• Agencies have varying levels of risk acceptance.
• Agency monitors the CSPs continuous monitoring activities
• Typically use a 3PAO, like ControlCase, to perform independent testing.
Preparing for FedRAMP Compliance & FedRAMP Certification
1. Security Expertise – Complying with Federal Security Requirements is no easy task. It is important to find a knowledgeable partner that can assist in creating and implementing controls for security, compliance and certification to regulations including FedRAMP, NIST 800-53 and FISMA.
2. Collaborate – Ensure all business stakeholders are involved early and often. This will enable the prompt handing of strategic components and other key logistics on an ongoing basis.
3. Commitment – Ensure all stakeholders understand, agree and acknowledge the benefits of coming FedRAMP certified. Establishing this will drive commitment to the project and ensure accountability.
4. Engage Leadership – Gaining buy-in from the highest levels of the organization as early as possible will help ensure resource allocation, budget and commitment from the rest of the team.
FedRAMP uses the NIST SP 800-53 standard as a security baseline. Below are the applicable domains to consider for compliance
- Application Security
- Governance & Compliance
- Physical Security
- Configuration Management
- Data Encryption at Rest
- Logical Access
- Security Testing
- Incident Response
- Logging & Monitoring
- Risk Assessment
- Policies & Procedures
- Change Management
- Third-Party Management
- Business Continuity Plan
ControlCase Methodology for FedRAMP Compliance
As a 3PAO, ControlCase will independently verify and validate the control implementation and test results for your organization, the Cloud Service Provider (CSP), using a four-phase approach. Each phase will have a specific set of tasks and deliverables required to guide you, as the CSP, through the FedRAMP Joint Authorization Board (JAB) Provisional Authorization to Operate (P-ATO) process.