The Federal Risk and Authorization Management Program (FedRAMP) is a program created by the U.S. government to standardize the security assessment, authorization, and monitoring of cloud computing services for government use.
A cloud service offering must demonstrate compliance with FedRAMP requirements and receive FedRAMP authorization to be used by U.S. federal agencies.
FedRAMP ensures that cloud products and services used by federal agencies are secure, enables faster and cheaper procurement, and eliminates the possibility of duplicate efforts and costs across agencies.
What Are the FedRAMP Compliance Requirements?
The NIST SP 800-53 catalog is controls is used as a baseline for FedRAMP compliance. Some modifications have been made to address the unique risks associated with cloud computing environments such as multi-tenancy, visibility, and shared resource pooling.
To comply with FedRAMP requirements, you will need to implement numerous controls covering a wide range of security aspects including:
- Access control
- Awareness and training
- Audit and accountability
- Security assessment and authorization
- Configuration management
- Contingency planning
- Identification and authentication
- Incident response
- Media protection
- Physical and environmental protection
- System security planning
- Personnel security
- Risk assessment
- System and services acquisition
- System and communications protection
- System and information integrity
For the complete list of compliance requirements, download the FedRAMP Security Controls Baseline.
How to Obtain FedRAMP Authorization
It’s best to approach FedRAMP authorization in four stages:
- Planning, implementation, and documentation. First, establish a relationship with a federal agency that wants to use your cloud offering and will put in the time and effort to get your application or service authorized. Determine whether your path to authorization is to obtain an Authority to Operate (ATO) from a single agency or to obtain a Provisional Authority to Operate (P-ATO) from the Joint Authority Board (JAB). Each path has pros and cons in terms of cost and effort required. Then, determine which category of security impact level applies to you (low, moderate, or high). You will need to use the FIPS 199 categorization template and the NIST Special Publication 800-60 volume 2 Revision 1 to ensure you are categorizing your offering correctly based on the type of information you process, store, and transmit. Next, fulfill the FedRAMP Security Controls Baseline requirements that match the security impact level your offering is categorized at. Document your implementation in a System Security Plan document that details how the implementation meets the requirements and the roles and responsibilities of those involved. Finally, prepare and submit all the necessary supporting documents including the e-Authenticate Worksheet, Privacy Threshold Analysis, Information Security Policies, User Guide, Rules of Behavior, IT Contingency Plan, Configuration Management Plan, Control Information Summary, and Incident Response Plan.
- Get an independent security assessment. You will need to have your cloud offering assessed to verify that the security controls you have implemented are in accordance with the FedRAMP requirements. If you are seeking an ATO from an agency, you can use a non-accredited independent assessor. If you are seeking a P-ATO, you will need to use a third-party assessment organization that is accredited by the A2LA to conduct the test. Develop a Plan of Action & Milestones (POA&M) to address and remediate any security risks that were found during the assessment.
- Submit your security package. Once you have completed the security assessment and all the associated documentation, submit the entire package to the authorizing official at the agency you’re partnering with or the JAB. The package will be reviewed, and you will either receive approval or a request for additional testing. If the agency accepts the risk of using your cloud offering, you will receive an ATO.
- Implement continuous monitoring. To maintain your authorization, you must implement continuous monitoring, continue to meet all FedRAMP requirements, and maintain the appropriate risk level associated with your security impact level. Failure to comply can result in the agency or JAB revoking your authorization.