June 23, 2023

Reading Time: 2 minute(s)

Intro to FedRAMP

June 23, 2023

Table of Contents

Last Updated on January 8, 2024

Obtaining a Federal Risk and Authorization Management Program Authority to Operate, better known as a FedRAMP ATO, is key for cloud service providers (CSPs) that want to do significant business with the US federal government.

The FedRAMP program was formed in 2017 to consolidate and coordinate the authorization process for cloud services across the US federal government in alignment with the Federal Information Systems Management Act (FISMA). Formerly, agencies had been individually authorizing CSPs through their own programs, leading to significant rework and inconsistency while creating duplicative recertification effort for CSPs.

Now FedRAMP can authorize cloud services and agencies can leverage this authorization to meet their FISMA compliance requirements. And CSPs can provide services to multiple agencies with just one authorization. Further, CSPs that are in turn leveraging FedRAMP authorized cloud services to deliver their service can “inherit” the covered controls. For example, a CSP that runs its service on the Microsoft Azure public cloud can include Azure’s FedRAMP authorized physical security controls within its own authorization process.

What organizations are involved with FedRAMP?

Created jointly by the General Services Administration (GSA), Department of Defense (DoD), and Department of Homeland Security (DHS), FedRAMP is hosted by the Office of Management and Budget (OMB). The main governance and decision-making body for FedRAMP, called the Joint Authorization Board (JAB), includes members from the CIO offices of GSA, DoD, and DHS.

The choreographed interaction among FedRAMP stakeholders during the assessment process is akin to a dance.

Mike Craig, CEO at Vanaheim Security, says: “First you’re going to decide that going toward a FedRAMP authorization makes business sense for you. Then you’re going to find a sponsor [agency], and there’s a whole engagement process that comes with that. After you find the sponsor, you’re going to very quickly want to find a Third-Party Assessment Organization (3PAO).”

The central importance of your 3PAO

3PAOs assess CSPs against the FedRAMP requirements. If you’re working with a FedRAMP consultant that is also a 3PAO, you cannot use them in the latter capacity.

“Find that 3PAO because they’re going to be able to help answer some of the more ambiguous questions,” Mike adds. “And they can get together with your sponsoring agency, and you can have a three-way conversation to figure out some of these ambiguous controls and how the sponsor would prefer to handle it. Because they’re the ones who are ultimately going to sign off on your authorization package.”

By getting that clarity early in the process, you can streamline your assessment preparation and avoid missteps. Then when you’re ready for your assessment, the 3PAO performs that function on behalf of the agency sponsor, not your company. Their job is to collect a huge array of data to prove that you’re doing what you say you’re doing in your submission package.

What’s Next?

For more guidance on this topic, listen to Episode 120 of The Virtual CISO Podcast with guest Mike Craig from Vanaheim Security.

Interested in a checklist to see how ready you are for an ISO 27001 certification audit?

It's a little more complicated than just checking off a few boxes.
To learn more, download our ISO 27001 Un-Checklist now!

Download Now!

What's Next?

To hear this practical, best-practice oriented show with Temi Adebambo

Click Here

Pivot Point is now part of CBIZ. Click Here for more information.

Blog

Intro to FedRAMP

What organizations are involved with FedRAMP?

The central importance of your 3PAO

What’s Next?

Interested in a checklist to see how ready you are for an ISO 27001 certification audit?

What's Next?

What do you think? Is Digital Business Risk Management the Future of Attack Surface Management?

Search our Blogs

ISO 42001: What are the Key Elements of an AI Management System?

ISO 42001, ISO 27001 and ISO 27701: Is This the New “Big 3” for Provably Secure and Compliant AI?

How Much Does ISO 27001 Certification Cost in 2024?

What is Distributed Ledger Technology (DLT) and How Can It Simplify Privacy Compliance?

Virtual CISOs and Community Banks—Perfect Together

What is Hedera Hashgraph and How Does It Solve Blockchain Privacy Issues?

Data Privacy Compliance in Higher Ed: Now is the Time

What is a TISAX Simplified Group Assessment and Who Can Use It?

CMMC Proposed Rule Changes: What’s Changing and How to Prepare

What is Kubescape and Why Should We (as Cloud-Native Developers) Care?

Container and Kubernetes Security: A Nontechnical Introduction

What is a Container and Why are They So Popular with Developers?

What is the New Jersey Data Privacy Law, and How Can We Streamline Compliance?

The EU AI Act: 9 Top Questions Answered

SOC 2 Reports – Which Trust Services Criteria Do You Need?

6 Key Takeaways from the 2023 SOC Benchmark Study

CMMC Proposed Rule: New Guidance on CMMC Level 3

The New CMMC Proposed Rule—Answers to Your Top 9 Questions

ISO 27001 Accreditation: Why It Matters for Cloud Service Providers

How to Measure the Value of Information Security

How can we help you?

Services

Compliance

Insights

Pivot Point Security