FedRAMP and You

The Federal Risk and Authorization Management Program (FedRAMP) is a compliance regime to which cloud vendors (i.e. Cloud Service Providers) selling to government agencies are subject. Compliance with FedRAMP is a mandatory step for vendors with cloud-based SaaS/IaaS/PaaS/etc offerings to work with and support agencies. Once complete, a FedRAMP assessment can be referenced by other departments as long as it remains valid, shortening the timeline for procurement and enhancing the visibility of providers across a vast market. Unfortunately, state agencies do not have access to assessments today, however, a vendor can broadcast their ‘FedRAMP ready or authorization’ status as a differentiator.

The program seeks to optimize the evaluation process and provides CIOs the assurance that a given provider has been subject to stringent security and privacy standards based on NIST and related guidance like Federal Information Processing Standard (FIPS). Many NIST standards map to ISO, which might ease the compliance journey.

Where to start?

After making the determination to participate, CSP aspirants might assemble a Tiger Team with personnel from their GRC, product marketing, engineering, operations, and security teams to work with a Third Party Assessment Organization (3PAO). Significant work can take place ahead of time, and is sound practice for any organization. NIST SP 800–53 is your friend.

As of 2016, it’s no longer necessary to submit reams of documentation to start an assessment. There are three phases to FedRAMP’s accelerated certification stream: [1] readiness assessment (outcome: declared “Ready”); [2] CSP Security Package Development (outcome: “proceed to Joint Authorization Board”); and, [3] JAB Authorization Process (outcome “Authorization to Operate”). It would appear possible to achieve all three phases inside of one year, assuming the CSP candidate is capable of meeting all requirements or could easily do so in a short time period and is not subjected to additional, independent assessment.

Suppliers could start with assigning security control baselines; to do so inventory all information systems and determine what they process and to whom access is granted (no small feat). Per NIST Special Publication 800–53(r4), establishing baselines can then enable an organization to overlay cost-effective and relevant security controls on those systems. Security controls, sorted by priority of implementation, are further articulated by NIST in the same document in Appendix D. A set of controls can be achieved by given security solution, or even procedure (i.e. implementation does not always mean buying something and could result from a process change with some investment in training). Cloud hosting companies may find that adherence to SOC 2/3 will probably make achieving FedRAMP certification relatively straightforward (please correct me in the comments).

Rates of adoption — room for improvement

Market forces and the move to a shared services model will continue to influence FedRAMP adoption and reach. As a program intended to bring together a myriad of stakeholders, FedRAMP is still developing. According to a report by Coalfire, only one or two agencies are using the same assessment, illustrating the need to encourage participation by more CSPs and agencies (only 40 percent participate in the program at the time the report was published).

For vendors, the same report imparts that “Many CSPs bringing commercial solutions to the FedRAMP process have needed to make modifications in order to meet the requirements.” That is to say, FedRAMP’s requirements have placed new obligations on technology, process, or people management at a time when the true extent of any benefit is unknown given the few CSP and agency participants today. That’s set to change.

Source: FedRAMP.

Going forward

FedRAMP certification can be pricey (working with an accredited third party assessor — 3PAO — can cost in the range of $250,000 to $385,000), but worth it. Inductees are essentially welcome into a marketplace with a higher barrier to entry but would probably catch the early part of the digital transformation wave pushing US Government agencies into cloud and hybrid environments. Citizens expect a lot from their government agencies, and want to engage with them digitally. They place the same expectations for user experience as they might on consumer services (e.g. their bank). At the same time, government workers deserve top-notch tools to do their jobs; those will typically come from private sector providers who serve larger enterprise clients.

For now, vendors that do not meet FedRAMP requirements may still operate and support agencies; agencies are required to “Identify and annually report on cloud services being used that do not meet FedRAMP requirements… with appropriate rationale and proposed resolutions” to OMB as a means to collect more data and compel compliance. It’s likely that perennial non-adherents will be replaced by authorized and ready providers as the marketplace grows; pressure to do so is likely to come from CSPs themselves.

Finally, it’s likely only a matter of time before state agencies can access FedRAMP reports and use them as a basis for procuring cloud services: duplicating such an effort 50 more times is untenable.

FedRAMP email updates are available via the GSA.

Read the Coalfire report, cited in this article. I welcome your comments and questions.