The Federal Risk and Authorization Management Program, or FedRAMP, is a program by which the U.S. federal government determines whether cloud products and services are secure enough to be used by federal agencies. While the process for getting the FedRAMP seal of approval is complex, it can ultimately be lucrative for companies that are certified, not least because it signals a commitment to security to non-government customers as well.
Strictly speaking, FedRAMP is a risk management program. It was created to support the federal Cloud First policy, which was rolled out in 2011 and aimed to rationalize the federal government's sprawling, fragmented IT infrastructure by moving much of it to the cloud. Because federal agencies have unique — and legally mandated — security requirements, they needed a way to determine whether the cloud services they wanted to use met those standards.
FedRAMP was designed to solve that problem. It describes a process by which third-party assessment organizations — 3PAOs,in FedRAMP lingo — determine whether cloud service providers (CSPs) comply with federal security rules.
FedRAMP and FISMA
The Federal Information Security Management Act, or FISMA,defines the IT security requirements that federal agencies have to meet. These standards and guidelines are further elaborated in Publication 800-53 from the National Institute of Standards and Technology (NIST). But FISMA was passed in 2002, before the cloud services revolution took off, and it was not initially obvious how to use its requirements to assess cloud services.
"Many agencies were concerned about introducing cloud services into their technology environment," says Katie Lewin, currently Federal Director of the Cloud Security Alliance. Lewin was previously Director of the Federal Cloud Computing Program, and in that capacity led the charge to develop and implement FedRAMP. It's common in private industry for cloud services to be adopted via "shadow IT," with individual business units deploying assets to the cloud without IT management's knowledge, but Lewin says that due to the strict rules in place in the federal government, "agencies were not using cloud technologies at all rather than using them in a shadow."
The FedRAMP program seeks to make it clear how FISMA's requirements apply to cloud services. "FISMA was the framework for FedRAMP," says Lewin. "The program uses only FISMA controls."
For more information on the relationship between FedRAMP and FISMA, check out this whitepaper from Coalfire Systems, a leading 3PAO.
FedRAMP levels and FedRAMP controls
Levels and controls are two crucial concepts for understanding how FedRAMP works. Controls are the specific technologies and techniques used to ensure the security and privacy of data stored in the cloud; the different controls are outlined in detail in NIST Special Publication 800-53, and there's a top-level overview on the website of the Government Service Agency (GSA).
CSPs can choose, based on which controls they implement, to offer different levelsof security: low, moderate or high. The levels in turn determine what kinds of data can be stored or accessed on those systems. StandardFusion has a good overview of what the different levels mean and what controls are required for each.
If you're a cloud provider looking to become a FedRAMP CSP, the requirements are complex — the GSA's "Guide To Understanding FedRAMP," which aims to "provides helpful hints and guidance to make it easier to understand FedRAMP’s requirements," is a 58-page PDF. The document does have a great FedRAMP requirements checklist that any organization needs to meet before it decides to participate in FedRAMP:
- You have the ability to process electronic discovery and litigation holds
- You have the ability to clearly define and describe your system boundaries
- You can identify customer responsibilities and what they must do to implement controls
- System provides identification & 2-factor authentication for network access to privileged accounts
- System provides identification & 2-factor authentication for network access to non-privileged accounts
- System provides identification & 2-factor authentication for local access to privileged accounts
- You can perform code analysis scans for code written in-house (non-COTS [commercial off-the-shelf] products)
- You have boundary protections with logical and physical isolation of assets
- You have the ability to remediate high risk issues within 30 days, medium risk within 90 days
- You can provide an inventory and configuration build standards for all devices
- System has safeguards to prevent unauthorized information transfer via shared resources
- Cryptographic safeguards preserve confidentiality and integrity of data during transmission
"My advice to anyone embarking upon or even considering the FedRAMP authorization
process is to be prepared," says Frank Balonis, VP of Technical Services at Accellion, where he recently led a FedRAMP certification push. "The requirements and documentation needed are at a granular level. It’s an arduous process but, once certified, you’ll have a better overall visibility of your platform."
FedRAMP certification and FedRAMP compliance
As noted above, the federal government does not certify CSPs as FedRAMP compliant directly. Instead, certification comes from 3PAOs, who assess the CSPs. (The process for becoming a 3PAO is beyond the scope of this article.)
On its AWS FedRAMP page, Amazon outlines the steps for a CSP to become FedRAMP compliant. We've reproduced them here, along with some explanations of some of the specialized terminology.
- The cloud service provider (CSP) has been granted an Authority to Operate (ATO) by a Federal Agency. (For more on ATOs, see this article on Govdatahosting.com.)
- The CSP addresses the FedRAMP security control requirements that are aligned to the NIST 800-53, Rev. 4 security control baseline for moderate impact levels.
- All system security packages must use the required FedRAMP templates. (FedRAMP templates are documents that outline the information needed to assess compliance; see the FedRAMP website for more information.)
- The CSP was assessed by an independent auditor.
- The completed security assessment package is posted in the FedRAMP secure repository.
It's worth noting that CSPs that have gone through all these steps still aren't at the finish line. As the FedRAMP FAQ explains, "only the head of an Agency or appointed designee, the Authorizing Official (AO), can make the risk-based determination to use IT systems. FedRAMP cannot make decisions for Federal Agencies or accept risk on their behalf." But these steps "help to establish an initial review and approval that Agencies can leverage during their own authorization process."
It's possible to receive a Joint Authorization Board Provisional Authority-To-Operate (JAB P-ATO), in which the JAB helps sign off on many of the initial requirements for working with multiple agencies, but individual agency AOs will each have their own final say. While this sort of "certify once, run anywhere" attitude was one of the goals of FedRAMP from the beginning, it hasn't necessarily worked out, according to Andrew McMahon, Director of Partnerships at Dcode, an accelerator program that supports technology companies selling to the public sector. "FedRAMP needs to do a better job of adopting script-based auditing, mirroring internationally accepted security standards, and pushing hard for sharing of ATOs across government," he says. "The mission of the FedRAMP policy is to lower security costs for cloud products and make security compliance fungible across agencies. Right now those goals are not being met."
And just getting certified once isn't enough: you'll need to have regular audits to make sure you maintain compliance. "Becoming FedRAMP authorized is only half the battle," explains Accellion's Balonis "Maintaining FedRAMP authorization begins the day after. But the ongoing requirements to maintain FedRAMP authorization aren’t overwhelming and, again, they provide added insight into our platform. Our recent annual audit was in fact very enlightening: We spent as much time reviewing 100 new controls as we did the previous year reviewing the initial 300 controls. Ultimately, the more mature your security posture, the easier it will be to maintain FedRAMP authorization."