The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. government program that establishes a standardized approach for validating that a Cloud Service Provider is “secure.” Organizations that conform to the FedRAMP requirements are deemed to be “Authorized to Operate” (ATO), which essentially means that they are a “pre-approved” vendor for federal agencies wishing to purchase their cloud services. No additional security validation is required for additional agencies to purchase these services.
The driver behind FedRAMP was a December 2011 OMB Policy that mandated federal agencies move all existing and new services to the cloud, with the goal of many billions of dollars in cost reductions.
Why did the US Government develop FedRAMP instead of using an existing and well-vetted security standard or framework, such as ISO 27001, SOC 2, or Cloud Control Matrix (CCM)?
FedRAMP really isn’t new—it’s essentially a formal “certification” process using the NIST/FISMA information security framework (especially NIST 800-37 and NIST 800-53) that the U.S. government has been using since 2002. FedRAMP added the concept of independent/objective third-party validation of a provider’s security posture (the equivalent of the registrar in ISO 27001 or the CPA in SOC 2).
NIST/FISMA guidance differs from other frameworks in that the risk assessment process yields one of three discrete risk levels (Low, Moderate, and High), each of which mandates the implementation of specific controls. Because other frameworks do not specify these restrictions, FedRAMP was a necessity.
How do I know if I am a Cloud Service Provider (CSP) and need FedRAMP to sell to the U.S. government?
Essentially, any company providing a service that involves processing U.S. government agency information that is running in a non-agency controlled environment is a CSP. “Conventional” deployment models including Infrastructure-as-a -Service (IaaS), Platform-as-a-Service (PaaS), and Hardware-as-a-Service (HaaS) are specifically cited by supporting FedRAMP information sources such as cloud.cio.gov. Hybrid cloud service provider scenarios are also addressed by FedRAMP. Thus, virtually any company offering a data processing service to the federal government agency could arguably be a CSP.
What are the goals of FedRAMP?
From the government’s perspective:
- Drive billions of dollars in cost reductions by moving existing and new services to the cloud
- Increase confidence in security of cloud solutions
- Achieve consistent security authorizations using a baseline set of agreed standards and accredited, independent, third-party assessment organizations
- Increase automation and near real-time data for continuous monitoring
From the Cloud Service Providers perspective:
- Drive millions of dollars in revenues based on being a pre-approved vendor of cloud services to federal agencies that are mandated to move these services to the cloud by the OMB
- Achieve a security posture proportional to the risk associated with the data by effectively implementing the NIST/FISMA guidance specific to the data being processed
What are the challenges or pursuing FedRAMP Authorization to Operate?
FedRAMP is definitely not for the faint of heart. It can be a significant undertaking, but for many organizations the payoff can be easily justified. Typical challenges include:
- xpertise: The NIST/FISMA framework is a very well done and robust framework. It can also border on perplexing at first due to the hierarchical and interdependent nature of the dozens of standards that comprise it.
- Time: FedRAMP applications typically encompass 600 to 1,000 pages of security-related documentation (e.g., System Security Plan, Incident Response Plan, IT Contingency Plan, Configuration Management Plan, etc.). The time to produce this documentation (including research and driving internal consensus) is quite significant. Doing this while still holding down your “day job” is nearly impossible.
- Funding: Even if you have resources on staff with the expertise and time to prepare your FedRAMP submission, you will need to engage a Third Party Assessor Organization (3PAO) to develop and execute the test plan that the GSA (or Agency) will review for conformance. It’s not unusual for this testing to cost in excess of $150,000. There are also notable ongoing costs for ongoing monitoring/testing to maintain the Authorization To Operate.
- More time: Even with a consultant doing the bulk of the preparation, finding the time to perform the necessary due diligence/“blessing” of all deliverables to ensure that they align with your culture and capacity to execute are critical. A further time challenge is that the FedRAMP process is a series of document submissions, reviews, comments, resubmissions, and interim approvals. It’s not unusual for it to take a year for a company to get through the entire process. This situation is currently exacerbated by a backlog of applications at GSA.