For SaaS applications and cloud service providers (CSPs), maintaining compliance with FedRAMP requirements is critical to the bottom line. It means the difference between working with U.S. government agencies—or not.
But as one might expect from a bureaucratic process, getting FedRAMP authorization is complicated and takes time. Before starting the FedRAMP approval process, teams and company leaders must understand the required steps, prepare thoroughly, and muster their patience.
What is FedRAMP?
FedRAMP, or the Federal Risk and Authorization Management Program, provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
This program was created by the Joint Authorization Board (JAB) in collaboration with CIOs from the Department of Homeland Security, the General Services Administration, and the Department of Defense.
FedRAMP is designed for three main purposes:
- To ensure cloud applications and services government agencies use have appropriate safeguards
- To support efficient and cost-effective procurement of information services and systems
- To eliminate duplicate efforts and risk management costs across government agencies
What businesses need to be FedRAMP compliant?
All CSPs or SaaS applications that provide a U.S. government agency with service must demonstrate FedRAMP compliance. To drive the point home, all federal government contracts contain standardized language that outlines FedRAMP requirements.
Just like counterparts in the private sector, government agencies require a plethora of technical tools to perform and optimize daily operations. These tools range from cloud storage to developer productivity tools and cover anything connected to the internet.
Well-known organizations that sell cloud services and SaaS apps to government agencies include AWS, Salesforce, Oracle, GitHub, IBM, ServiceNow, Microsoft Azure, and Google. Each of these providers offers a government-specific version of their product for a limited user base with enhanced features for security and specific FedRAMP requirements.
How do businesses demonstrate FedRAMP compliance?
To become FedRAMP compliant, businesses must go through a demanding authorization process. This requires organizations to demonstrate a fully-functional system and leadership team that understands and supports the FedRAMP process.
The authorization process has four main phases: documentation, assessment, authorization, and monitoring. Each of these phases has related actional steps which are outlined in the FedRAMP requirements checklist in the next section.
Companies spend the majority of time and effort in the documentation phase, which can take several months depending on the complexity of the organization and product. Documentation involves planning and gathering pertinent information and materials. Additionally, this phase covers implementing security controls and requires making decisions that will affect the overall FedRAMP authorization process.
FedRAMP Requirements Checklist
1. Partner with a federal agency
The organization seeking FedRAMP compliance should form a partnership with a government agency. While it is not required, such a partnership helps CSPs align their services with specific government sector needs. It is also a rich source of feedback, guidance, and support. Ideally, CSPs would find a partner agency that is a target customer or has directly expressed interest in purchasing from the CSP.
2. Decide between P-ATO and ATO authorization
There are two types of authorization CSPs can select from to meet FedRAMP requirements: a Provisional Authority to Operate (P-ATO) from the Joint Authority Board (JAB), or an Authority to Operate (ATO) letter from a single federal agency.
A P-ATO provides a broader authority to operate as the JAB issues recommendations to all federal agencies after granting the authorization. However, obtaining this form of authorization is an extremely involved process and the JAB only has the resources to grant a limited amount each year. For these reasons, obtaining an ATO is less expensive and can get a product into the hands of government employees much faster.
Deciding between P-ATO and ATO should depend on how broadly government agencies can use the product and the urgency for authorization and government adoption.
3. Select security impact level
FedRAMP classifies CSPs by security level impact, designating them either Low, Moderate, or High.
Low impact generally describes products that do not store personally identifying information (PII) aside from login details. As such, loss of confidentiality, integrity, or availability of the system would limit damage to the agency or individuals.
Moderate impact describes the majority of FedRAMP-authorized products. This category indicates that loss of confidentiality, integrity, or availability would result in serious adverse operational damage to an agency’s assets, and finances, or cause individual harm. In this case, individual harm does not refer to physical injury or death.
High impact is typically reserved for products serving law enforcement and emergency services, financial systems, and healthcare operations. In this case, compromise of confidentiality, integrity, or availability could have catastrophic consequences, including loss of life.
FedRAMP defines confidentiality, integrity, and availability as such:
- Confidentiality: Information access and disclosure provides protections for personal privacy and proprietary information
- Integrity: Stored information is guarded against modification
- Availability: Timely and reliable access to information is ensured
4. Implement security controls
Next, teams must fulfill the FedRAMP requirements for their impact level as outlined in the FedRAMP Security Controls Baseline. The JAB used the NIST SP 800-53 security controls as a foundation with modifications to cover risks specific to cloud computing environments.
The types of security controls outlined in the FedRAMP Security Controls Baseline include:
- Access Control
- Awareness & Training
- Audit & Accountability
- Configuration Management
- Contingency Planning
- Identification & Authentication
- Incident Response
- Media Protection
- Physical & Environmental Protection
- Personnel Security
- Risk Assessment
- Security Assessment & Authorization
- System & Services Acquisition
- System & Communications Protection
- System & Information Integrity
- System Security Planning
Meeting the FedRAMP Security Controls Baseline is the minimum requirement for any type of FedRAMP compliance, and individual federal agencies may require additional security controls specific to the agency’s function, operations, and environment. However, this could also include measures specific to the service provider. For example, cloud storage companies may be required to provide physical security at a data center, including video surveillance or protection against environmental threats like flooding and fire.
5. Document implementation of security controls
After implementing FedRAMP requirements security controls, document the details of the implementation in a System Security Plan (SSP). This document should include the desired security authorization, how the security control implementation meets FedRAMP requirements, internal roles and responsibilities, and expected user behavior.
6. Prepare supporting documentation for the security package
As part of the FedRAMP requirements, organizations must submit a security package of supporting documentation in addition to the SSP.
Supporting documentation includes:
- E-Authentication Worksheet
- Privacy Threshold Analysis
- Privacy Impact Assessment (if applicable)
- Information Security Policies
- User Guide
- Rules of Behavior
- IT Contingency Plan
- Configuration Management Plan
- Control Information Summary
- Incident Response Plan
7. Hire an independent assessor to test the system and security controls
After an organization prepares documentation for the security package, they will need to hire an independent assessor. This person will test the system to verify security controls have been implemented correctly and work as expected.
For companies seeking a P-ATO, they will need to use a third-party assessment (3PAO) company that is accredited by the American Association for Laboratory Accreditation. Companies seeking an ATO can use a non-accredited independent assessor.
8. Review the assessor’s Security Assessment Report
After the assessor has performed their test, they will issue a Security Assessment Report (SAR) that includes discovered vulnerabilities, threats, and risks. The report should also include guidance for mitigating any revealed weaknesses.
Organization leaders can work with the assessor to review the report and ensure the information is accurate and up-to-date before the assessor submits it to the federal agency’s security team or JAB.
9. Develop a Plan of Action and Milestones to address vulnerabilities
Organizations will need to develop a Plan of Action and Milestones (POA&M) for any vulnerabilities they were not able to address prior to the report submission. They must also submit this document to the federal agency’s security team or JAB.
10. Submit security package to authorizing official
After assessing the SAR and preparing all required deliverables, it’s time to submit the entire security package to the security team at the individual federal agency or JAB. They will either approve the package or request additional testing.
11. Obtain Authority to Operation (ATO) letter from authorizing official
If the authorizing official or JAB is satisfied with the SAR and security package, and accepts any associated risks, they will provide an Authority to Operate (ATO) letter signed by a representative at the federal agency.
12. To maintain authorization, implement continuous monitoring
After an organization receives the ATO, they must still take steps to maintain authorization. These include implementing continuous monitoring to ensure the system keeps the risk level associated with the authorization’s impact level. Organizations may need to take other steps, like employee training, to ensure the system continues to meet FedRAMP requirements.
If a CSP fails to take these measures, any federal agency or the JAB can revoke authorization.
Optimize FedRAMP Compliance with TrustCloud
The process of becoming and staying compliant with FedRAMP requirements is time-consuming and costly. TrustCloud takes work and stress away from IT teams and company leaders to ensure continuous compliance at all times.
TrustCloud helps organizations prepare for the FedRAMP authorization process by generating custom controls, tests, and policies. Additionally, with TrustCloud’s common controls framework, teams can quickly implement other security frameworks, like SOC 2, GDPR, HIPAA, and more. With the gap analysis feature, you’ll be able to see your org’s overall readiness for multiple different audits.
No one wants to think about FedRAMP requirements–TrustCloud does the tedious compliance work keeping CIOs up at night. Ready for a good night’s sleep?