Last Updated on March 2, 2021
FedRAMP might sound dull, but right now it’s one of the hottest topics in cybersecurity. What lit that fire under FedRAMP? And what does it take to participate in the program?
FedRAMP, short for Federal Risk and Authorization Management Program, is the US federal government’s approach to securing the cloud services that its agencies use internally. Since its inception in 2011, just 214 Authorizations to Operate (ATOs) have been granted to SaaS firms and other cloud service providers (CSPs) under the FedRAMP program. But in 2020 alone, 61 ATOs were granted or “in process,” and 30 more CSPs are “ready” to start their FedRAMP assessments. Chalk it up to the pandemic and the ongoing expansion of all things cloud.
To make sure we left no FedRAMP stone unturned in our quest for insight, we were fortunate to connect with Stephen Halbrook, Partner and government compliance lead at Schellman & Co., on a recent episode of The Virtual CISO Podcast.
FedRAMP assessment/authorization functions analogously to a security attestation like ISO 27001. But a key difference is that FedRAMP grants authorizations at three “impact levels”: Low, Moderate and High.
As Steve explains, if you’re thinking of pursuing a FedRAMP ATO, your choice of impact level is critical: “Low, Moderate and High are the different [cybersecurity] baselines, and NIST has different control sets at those baselines. It really comes down to the sensitivity of the information that the agency is going to put into the system.”
“So if you went online and got FIPS PUB 199 [Standards for Security Categorization of Federal Information and Information Systems], that’s a NIST document that walks you through [evaluating] the confidentiality, integrity and availability of the information that the agency would be putting into your system,” Steve adds.
In short, a CSP can use NIST guidance to effectively perform a security categorization. This will determine which of the three impact levels is relevant for your offering based on the agency data you anticipate storing, processing and/or transiting.
Of course, it’s critical for CSPs interested in serving the federal government to make sure their would-be clients are comfortable with whatever that target level is. If an agency wants its cloud services to meet a Moderate security level and your ATO is for a Low level, “It’s a losing argument,” as Steve puts it.
Besides being a pivotal acceptance criterion, the impact level you choose will have a massive impact on the cost and complexity of achieving your ATO. To wit, a High level involves about 425 cybersecurity controls, Moderate includes about 325 controls and Low about 125 controls.
Besides the cost and effort to implement and maintain the necessary controls, a CSP will also need to factor in the significant FedRAMP assessment process itself. The higher the impact level, the more stringent assessment you can expect, both in terms of the number of controls and also additional assessment requirements.
Where can you start exploring the FedRAMP controls and associated guidance? Steve notes that “FedRAMP is built on NIST SP 800-53 [Security and Privacy Controls for Information Systems and Organizations], and all this is documented there.” Additional templates and documents are available on fedramp.gov.
If you’re interested in providing cloud services to the US federal government, this podcast with Stephen Halbrook is just what you’re looking for.