FedRAMP: Mandatory Protection for Your Cloud Services with Federal Businesses

These days, many questions arise surrounding the security of data and cloud posture: “How did this happen, why did this happen, and can this happen again?” Fortunately, the Federal Risk and Authorization Management Program (FedRAMP) exists for non-federal organizations that handle sensitive, confidential government data.

The Ponemon Institute, in collaboration with IBM Security, examined 550 organizations impacted by data breaches between March 2021 and March 2022. According to their findings, (which extended across 17 countries and regions and in 17 different industries): “. . . 45% of breaches occurred in the cloud. . . ,” which is why cloud protection services today are both a desirous and necessary commodity. Further delving into the research reveals, too, that organizations: “still need a mature cloud security posture, regardless of the cloud model.” (IBM Security®, Cost of Data Breach Report 2022, P. 39). Fortunately, organizations have experienced a reduction in risks and a minimization of threats as a result of utilizing the Federal Risk and Authorization Management Program.

What is FedRAMP?

“The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring of cloud products and services. FedRAMP empowers agencies to use modern cloud technologies, with emphasis on the security and protection of federal information, and helps accelerate the adoption of secure, cloud solutions (FedRAMP | GSA).”

General Services Administration (GSA), in partnership with the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST), manages the program.

The FedRAMP Authorization Act received approval as part of the FY23 National Defense Authorization Act (NDAA) (See Sec. 5921, page 1055). The Act classifies the FedRAMP program as the authoritative standardized approach to security assessment and authorization for cloud computing products and services that process unclassified federal information.

As of May 30, 2023, the FedRAMP Joint Authorization Board has approved the FedRAMP Rev. 5 baselines. The FedRAMP baselines were updated to correspond with the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-53 Rev. 5 Catalog of Security and Privacy Controls for Information Systems and Organizations and SP 800-53B Control Baselines for Information Systems and Organizations.

This stride in compliance services helps Cloud Service Providers that conduct business with the Federal Government to meet the FedRAMP requirements. When organizations use FedRAMP-authorized cloud services, they are guaranteed a reliable level of security, data privacy, and compliance.

How Long Does It Take to Get FedRAMP Authorized?

The time it takes for an organization to achieve FedRAMP authorization can vary depending on several cloud service complexities, the organization's readiness factors (including the complexity of the cloud service), the readiness of the organization, and the workload of the 3PAO (3rd Party Assessment Organization) who is performing the security assessment. On average, it may take several months to a year for an organization to go through the FedRAMP authorization process.

Assuming the Cloud Service Provider (CSP) has implemented the controls and completed related documentation, the following timeframe for compliance applies:

• A FedRAMP JAB P-ATO assessment takes about 5-8 months to complete.

• An agency ATO can take anywhere from 3-5 months to complete.

• A Cloud Service Provider-supplied package can likely be completed in 2-3 Months

How Can Cloud Services Providers Obtain FedRAMP Authorization?

There are several key steps toward achieving FedRAMP compliance:

1. Initial Assessment: FedRAMP has compiled the documents and time plates necessary for preparation, authorization, and monitoring. The FIPS-199 Categorization provides organizations with an awareness of which documents are relevant to their organization; however, the completion of other preparatory documents may apply to determine the actual authorization path needed.

2. FIPS 199 Categorization: NIST developed the FIPS 199 Categorization (Federal Information Processing Standard) to categorize the data stored and transmitted by cloud computing services as low, moderate, or high impact. The classification determines the controls a CSP must implement.

3. Conduct a 3PAO Assessment: 3PAO is FedRAMP’s acronym for Third-party Assessment Organization. This assessment conducts a cybersecurity attestation and creates the Readiness Assessment Report (RAR). This step is mandatory for the JAB authorization path and is optional, but “highly recommended.”

4. Create a plan of Action and Milestones (POA&M): This is another requirement carried over to FedRAMP from NIST SP 800-53. This step requires that the agency and/or CSP seeking authorization implement controls in the form of a schedule, “to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system.”

5. Obtain ATO or P-ATO: A CSP determines between authorization to operate (ATO) or a provisional authorization to operate (P-ATO) is needed. There are two different paths to achieving these authorizations: JAB and Agency:

a. JAB Authorization: The Joint Authorization Board (JAB) is composed of the General Services Administration and CIOs from the Department of Defense and the Department of Homeland Security. JAB is appropriate for cloud service offerings (CSOs) classified as moderate or high-impact per FIPS-199 Categorization. To demonstrate FedRAMP compliance, a cloud service provider can apply for a provisional authorization via JAB prior to developing a partnership with a federal agency. NOTE: JAB does not accept risk responsibility; each federal agency has its own Authorization Officer. However, JAB’s provisional authorization is more rigorous than an ATO achieved through Agency Authorization because the CSP must also receive approval with the CIOs from the Department of Defense, the General Services Administration, and the Department of Homeland Security.

b. Agency Authorization: This path requires that a CSP and an agency work together to achieve authorization; this path is most appropriate for CSOs classified as low-impact per FIPS 199 Categorization. An agency that has selected to work with a particular CSP can apply for authorization at any time; agency and CSPs partner throughout the FedRAMP authorization process. Some of the steps that are mandatory for JAB Authorization, like a 3PAO Readiness Assessment Report (RAR), are optional through the Agency Authorization Route.

6. Maintain continuous monitoring: Once ATO or P-ATO is achieved, organizations must create and follow a schedule for continuous Monitoring.

FISMA VS FedRAMP

Does your business need FedRAMP authorization when it is already compliant with FISMA? Many companies possess the Federal Information Security Modernization Act (FISMA) Authorization. As a result, they may not feel it to be necessary to attain a separate FedRAMP compliance. FISMA and FedRAMP are different: FISMA applies to information systems security in general, while FedRAMP applies only to cloud service providers and federal agencies that plan to use cloud service providers.

Per FISMA, the National Institute of Standards and Technology is responsible for establishing “policies which shall set the framework for information technology standards for the Federal Government.” Based on this law, NIST developed the Risk Management Framework.

Both FedRAMP and FISMA use the NIST SP 800-53 security controls. The newly updated FedRAMP security controls are based on NIST SP 800-53 baselines and contain controls, parameters, and guidance above the NIST baseline that address the unique elements of cloud computing. Generally, FedRAMP’s design makes the cloud service procurement method easier for organizations.

Do FedRAMP Authorizations Expire?

While the process to attain FedRAMP authorization appears to be overwhelming, cloud service protection remains to be a smart move for any organization that plans to use cloud service providers: securing such status should occur sooner rather than later. The FedRAMP Cloud Service Offering’s (CSO) approval is only for one year, beginning on the date the company lists as FedRAMP Ready on the FedRAMP Marketplace. Also, FedRAMP authorizations are subject to continuous monitoring to ensure that the authorized cloud services continue to meet the necessary security and compliance requirements.

As an accredited FedRAMP 3PAO authorized by the U.S. General Services Administration (GSA) to conduct security assessments for CSPs seeking FedRAMP Ready and FedRAMP Provisional/Agency Authorizations, we provide FedRAMP consulting services designed to match the FedRAMP process to assist your organization in pursuing FedRAMP ATO. Contact WCG today to ensure you are FedRAMP compliant!

[1] Congress.Gov: H.R.7900 - National Defense Authorization Act for Fiscal Year 2023, FY23 National Defense Authorization Act (NDAA) ( Sec. 5921, page 1055), https://www.congress.gov/117/bills/hr7776/BILLS-117hr7776enr.pdf.

[2] FedRAMP announces the Passing of the FedRAMP Authorization Act. BLOG, January, 11, 2023. https://www.fedramp.gov/blog/2023-01-11-announces-passing-fedramp-auth-act/

[3] FedRAMP Insights. FedSCHELD: The Authority in Federal Contracts. January 14, 2015. © Copyright 2023 Federal Schedules, Inc. https://gsa.federalschedules.com/resources/fedramp/

[4] FedRAMP Rev 5 Update. May 30, 2023. Rev. 5 Baselines Have Been Approved and Released! | FedRAMP.gov.

[5] FISMA Vs. FedRAMP: Why FISMA is the Better Option 2023 - RSI Security - blog.rsisecurity.com.

[6] Frequently Asked Questions FedRamp.gov. https://www.fedramp.gov/faqs/

[7] IBM Cost of Data Breach Report 2022. chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/https://www.ibm.com/downloads/cas/3R8N1DZJ

[8] Jones, Corrin. “How Can the Federal Government Improve Its It?” January 6, 2023.

[9] RSI Security. Overview of the FISMA Certification and Accreditation Process. December 20, 2018. @2023 – RSI Security – blog.rsisecurity.com. https://blog.rsisecurity.com/overview-of-the-fisma-certification-and-accreditation-process/

[10] What is FedRAMP Compliance? 6 Steps to Achieve Authorization. December 27, 2021. Copyright© 2023 AuditBoard Inc. https://www.auditboard.com/blog/what-is-fedramp-compliance/