Are there different paths to achieving FedRAMP compliance?
As a Cloud Service Provider (CSP), the most common avenue to pursue is to gain provisional authority to operate (ATO) from the FedRAMP Joint Authorization Board (JAB), led by CIOs at the General Services Administration, the Defense Department and the Department of Homeland Security. In order to accomplish this, an accredited third party assessment organization (3PAO) is required.
Another good option is to pursue an Agency sponsored ATO. An individual agency can grant a FedRAMP ATO as long as they follow the FedRAMP process. Once the company has been granted an ATO other agencies can capitalize on that authority by working with the ATO’d company. In order to accomplish this, an accredited third party assessment organization (3PAO) is required. Interestingly, at least one agency is actually a 3PAO.
Does each path have differences in cost and time to accreditation?
The cost is different for each path discussed previously. The most expensive being the route where the CSP hires an accredited 3PAO to complete the necessary testing and send it to the GSA’s office for verification. The time frame for each path (once the CSP has completed all of its documentation/preparation):
JAB granting provisional ATO, approximately nine months (dependent upon backlog)
Agency ATO, approximately four months
CSP supplied, varies
What criteria do you use to select a 3PAO?
The most important consideration is that they are an authorized 3PAO. Experience with the same ATO approach as you are pursuing is a plus. Last would be the ability to support other attestation requirements that you might have (e.g., ISO-27001, PCI-DSS, SOC2, etc.) as this can reduce the overall cost and complexity of pursuing multiple certifications/attestations.
Once I have been FedRAMP authorized, how often will my CSP need to be monitored?
FedRAMP requires “continuous” monitoring and ongoing testing/validation.
Is there a difference between FISMA and FedRAMP?
FISMA stands for the Federal Information Security Management Act of 2002. The act requires all federal agencies, departments, and their contracted agencies to sufficiently protect their information systems and accounts.
FedRAMP stands for the Federal Risk and Authorization Management Program) (December of 2011). FedRAMP leverages NIST/FISMA guidance most notably NIST 800-53.
Why should I get FedRAMP authorized?
If you plan on providing cloud services to the federal government anytime in the future, FedRAMP authorization is highly beneficial.
What are my options if I receive an Agency ATO, but then I get denied by the FedRAMP JAB?
If a CSP is denied FedRAMP certification, the applicant receives a document showing the findings of non-conformance. If the 3PAO would like, they can reapply with evidence to show they now comply or re-apply for certification if they believe they were denied based on an error in the original decision. Application review is an ongoing process and is handled in a first come, first served basis.
What is FIPS 199 security categorization?
FIPS 199 security categorization is a standard of the United States Federal Government that establishes security categories of information systems used by the Federal Government. Each system is categorized as low, moderate, or high impact categorization which establishes the NIST 800-53 controls required to mitigate system risks.
Will I be able to recoup my costs of the FedRAMP authorization process?
There are many complex factors to determine if the costs will be recouped as a result of the process to achieve FedRAMP certification. Some factors include the number of customers you have currently, how many you’ll gain as a result of the certification, and the price of the product/services that you offer.
Will FedRAMP be beneficial in the private sector?
FedRAMP will have minimal value if you are not a Cloud Service Provider selling to Federal Agencies. Other alternative including ISO-27001 would be better investments if your work is limited to the private sector.
A 10-minute call with a consultant could save you hours of research.