FedRAMP Certification: An Overview of Why It Matters

Originally published by Titaniam.

Cybersecurity is now in the spotlight as data breaches become a near-daily story. Organizations are consuming massive amounts of personal data that is directly tied to everyday people, and they’re often utilizing cloud-based services to help store them. This can be as commonplace as using your Gmail account at work or in personal correspondence. However, when the data involved is government data, security concerns become even larger.

To help combat the risk of government data seeing unsanctioned public exposure, the U.S. government requires federal agencies that are using cloud services to meet a set standard of security: FedRAMP.

What Is FedRAMP?

FedRAMP, also known as the “Federal Risk and Authorization Management Program,” is a standardized cybersecurity program designed to ensure all federal data is protected consistently and at a high level. Adopted in 2012, shortly after cloud services began gaining traction among organizations, FedRAMP initiated a clear and consistent process of requirements and steps in order for cloud service providers that are seeking to work with federal agencies. Prior to this standardization, these same providers were required to formulate their own packages for each agency and were often inconsistent with one another. The security standards were also unclear and varied between providers and agencies.

Through FedRAMP certification, cloud service providers can meet the outlined requirements and only go through one authorization process. Once this process is completed, any federal agency can use that provider’s security package.

Cloud service providers can look to begin certification in two ways: through an individual agency or the Joint Authorization Board (JAB).

How Long Does FedRAMP Certification Take?

Cloud service providers looking to work with government agencies should first consider if they’d like to certify through the JAB or an individual agency.

Providers certifying through the JAB first undergo a readiness assessment that determines the security risks involved. If the provider is deemed ready, they will then receive a full security assessment, an authorization process and ultimately their FedRAMP certification with continuous compliance monitoring. This process can take anywhere from roughly seven to nine months to complete.

Providers certifying through individual agencies may see a more expedited timeline. Those who have received business interest from specific government agencies have the benefit of skipping an initial readiness assessment. Instead, the agency walks providers through each step and provides the full security assessment. If this assessment is successful, providers just need to pass the authorization process and then continuous compliance monitoring. This process can take anywhere from roughly four to six months to complete.

Regardless of which path providers choose, there are four main steps to FedRAMP compliance:

• Package development. The process begins with an initial authorization meeting followed by developing a completed System Security Plan. Finally, an approved third-party develops a Security Assessment Plan.
• Assessment. This occurs through a Security Assessment report submitted by the assessment organization. Meanwhile, the provider creates a Plan of Action & Milestones.
• Authorization. Either the authorizing agency or the JAB then determine if assessed risks are acceptable. If providers pass, the authorization party submits an Authority to Operate Letter and the provider is then listed in the FedRAMP Marketplace.
• Monitoring. The approved provider is then responsible for sending monthly security monitoring reports to each agency utilizing their approved product.

FedRAMP Compliance Requirements

FedRAMP certification can be a time-consuming and lengthy process, but there are some general guidelines providers can keep in mind when ensuring compliance:

1. Map your product to FedRAMP by performing a gap analysis. This ensures that the current environment is already in compliance with security requirements.
2. Receiving FedRAMP certification is an arduous process that needs support at all levels to succeed. Technical teams and executive leadership alike should be in agreement and working towards compliance together.
3. While pursuing certification through the JAB is an option, finding an agency partner is a great option for smaller organizations or those who know they may not have the proper resources alone.
4. Take the time to accurately define your product’s authorization boundary, including the internal components, external service connections, and the flow of federal information and metadata.
5. Understand that FedRAMP certification is a continuous process where provider security measures are constantly monitored to ensure that they are up to date.
6. If you have multiple products, take the time to consider whether you will need one authorization or multiple.
7. Utilize FedRAMP PMO and the templates offered to help prepare cloud service providers for FedRAMP compliance.

There are also four impact-level categories used for risks associated with different services, including the potential impacts of a security breach in three areas: Confidentiality, Integrity and Availability.

These areas determine whether risks associated are categorized as:

• High. These are systems associated with devastating results to the organization or individuals should data be compromised or unavailable, such as law enforcement, financial institutions or health systems.
• Moderate. The majority of systems fall under the moderate category, meaning loss of data confidentiality and availability would have severe, although non-life threatening or life ending, implications .
• Low. These systems see little adverse effects on agency operations, assets or individuals if data is compromised or unavailable.
• Low-Impact Sofware-as-a-service (LI-SaaS). Also known as FedRAMP Tailored, this level was included to help low-risk use cases receive certification. These systems do not store personal identifiable information (PII) beyond general login capabilities.

While the first three impact levels are determined by the Federal Information Processing Standard (FIPS) 199, the fourth is based on the National Institute of Standards and Technology’s (NIST) Special Publication 800-37.

Should You Seek FedRAMP Certification?

While some cloud service providers may not be interested in working with federal agencies, it’s worth considering. Being FedRAMP compliant opens new avenues for the opportunity and future partnerships that otherwise would be unavailable. Cloud service providers who are considering FedRAMP certification but are unsure of the time investment may have another way to quicken the compliance process: security technologies already certified in FIPS.