Last Updated on March 5, 2021
Given the ever-escalating demand for cloud services, it’s no surprise that FedRAMP (short for Federal Risk and Authorization Management Program) is a hot topic these days. More and more cloud service providers (CSPs) are interested in selling to US federal agencies. But to do so, they first need a FedRAMP Authority to Operate (ATO).
If you’re pursuing an ATO, what are the key entities you need to be concerned with, and what are their roles?
Of course, a major player in any CSP’s ATO process will be the sponsoring organization that manages the overall program and promotes adoption of your cloud service within the government. This will be either a specific federal agency or the General Services Administration (GSA) FedRAMP Program Management Office (PMO) Joint Authorization Board (JAB)—which is more acronyms than even government employees are willing to juggle, so it’s usually referenced as the JAB.
In either case, the sponsor organization will assign an Information System Security Officer (ISSO) to help lead FedRAMP authorization efforts. In particular, the ISSO will be central to understanding and accepting (or not) whatever security risk the assessment process reveals about a CSP’s offering.
“They’re going to have someone internal to the organization that is the ISSO, and that’s really the key decision-maker within the agency,” notes Steve.
Another key player is the third-party assessment organization (3PAO), such as Schellman & Co., which is responsible for doing all of the testing, validation and monitoring that the JAB or the agency will rely on for its decision.
Also in the mix for many CSPs is a consulting/advisory firm like Pivot Point Security, which can provide the extra staffing resources, expertise and bandwidth to help take a CSP through the ATO process.
Is hiring a third-party advisor essential to the ATO process? Definitely not. But as Steve relates, “We’ve seen both approaches, and it tends to go much, much better when working with an advisor or consultant on the front end.”
I’ve Got a Guy…
“It’s not that these people can’t do it themselves,” observes host John Verry, Pivot Point Security’s CISO and Managing Partner. “It’s just that they have day jobs. FedRAMP is an incredibly… I mean, just the process of putting together a System Security Plan (SSP), which if you haven’t seen one, they’re like 600 pages… It’s just a crapload of work. So if a guy’s got a full-time job and then he’s trying to get someone FedRAMP ATO’d in his spare time… Yeah, it’s going to be a tough row to hoe.”
“I was on a call with somebody 30 minutes ago about FedRAMP,” John remarks. “The guy asked, ‘Can we do it ourselves?’ I said, ‘Absolutely—but whoever the person is who’s going to do it, they better not have any other work that you’re giving them to do.’”
“If you can free up a person completely who’s a security expert and has the time and energy, you can do it. But I think that’s the challenge: it’s just bandwidth, right? How many CSPs have people sitting around looking for things to do?” quips John.
“None that we’ve worked with,” Steve retorts.
If a FedRAMP ATO is on your to-do list, catching this podcast with Stephen Halbrook should be also.