A CSP’s simple guide to all things FedRAMP
The use of cloud services has seen a tremendous uptick globally, particularly in the US — with a CAGR of 14.3% in cloud spending according to a 2021 Deloitte analysis . In recent years, cloud adoption has been on the rise due to the shift to remote work, the need for scalability, and organizational push for modernization.
The US Government Cloud First Policy set the path for US federal government and agencies to evaluate safe, secure cloud computing options. The evaluation process merits a thorough security assessment of the Cloud Service Provider’s (CSP) cloud security offering (CSO), requires CSP to adhere and comply to US regulatory and statutory requirements, prior to granting authorization of its use.
FedRAMP program was established, to address the assessment and authorization process.
FedRAMP — Security first
FedRAMP – the Federal Risk and Authorization Management Program – is a US government-wide program to standardize how the Federal Information Security Management Act (FISMA) applies to cloud computing services. Aimed at all US federal government and agencies, FedRAMP’s goal is to ensure adequate security controls are implemented to secure US government data on cloud systems that process, store and/or transmit it.
Prior to FedRAMP, the acquisition, evaluation of safe cloud services, the assessment techniques, authorization methodology, varied from agency to agency(s). If Agency #1 had to acquire specific CSP’s cloud service offering, the CSP had to respond to the RFP from that specific agency. If the Agency #2 wanted to use a similar CSP’s cloud security offering, both the Agency #2 and the CSP had to redo the entire process and assessment. The process was time-consuming, cost prohibitive, less transparent, for both the agency(s) and the CSPs, as there was minimal sharing of information between Agency(s) and CSP’s encountered administrative burden of redoing RFPs with multiple Agency(s).
FedRAMP addresses some of these scenarios, introduced common standards and best practices, for the Agency and CSP to use. A CSP that advertises or sells their cloud service offering to US federal government and agency(s) can use the FedRAMP framework, to apply for authorization and showcase their ability to meet the standards.
FedRAMP cuts down the roundtrip time taken to assess and authorize with a “do once, use many times” framework that minimizes reinvention and duplication of time and effort, and optimizes the process, cost and staff required to “authorize” the cloud service offerings.
FedRAMP maintains the repository of authorizations and a marketplace of authorized cloud service offerings, allowing other US federal agencies to select, reuse, review and grant their own authorizations. Under FISMA, the FedRAMP cannot accept risk on behalf of any Agency. Therefore, it issues “Provisional” authorization to operate (ATO) to indicate that a CSP has met all of the FedRAMP requirements that Agencies can use to grant ATO. Agencies are required by FISMA to individually accept the risk of use of any IT system and issues Agency ATO.
FedRAMP – Five essential steps
Document and develop System Security Plan
The first step in the process is to capture and document CSP’s current state. The System Security Plan (SSP) is the primary document in which CSP documents the details of the system authorization boundary, the security categorization of the system, implemented security controls for the as-is system. The SSP need to be well documented, up to date and relevant.
Perform gap assessment and analysis
Based on the system security categorization level, CSPs need to select the matching FedRAMP security control baseline, intended for FedRAMP authorization. The FedRAMP security control baseline provides the minimum set of security controls that CSPs will need to implement to meet FedRAMP’s requirements for Low or Moderate or High security impact level systems.
The CSP needs to conduct an internal gap assessment of its current state against the chosen FedRAMP security control baseline. The outcome and analysis will provide a listing of the gaps that require remediation to meet the security impact level requirements.
Remediate the gaps
A CSP applying for FedRAMP readiness assessment is expected to have a fully operational environment, and it does not need to have active customers in the environment. For the gaps identified from previous step, CSPs need to develop a plan to implement the security controls. Some controls may already be implemented, some may require new controls, some may require a control re-configuration, and some may require implementing compensating or alternative controls. It is imperative that the CSP implements controls that satisfy the intent of the security control baseline requirement. CSP develops the initial plan of action and milestone (POA&M), a remediation roadmap that includes the people, process and technology, prioritization, effort sizing, cost estimation. At this stage, CSPs must update the SSP document with the new implementation details.
Engage 3PAO for Readiness and Authorization
A third party assessment organization (3PAO) is a FedRAMP-recognized entity that meets and demonstrates the necessary independence, quality and FedRAMP knowledge requirements to perform independent security assessments on cloud systems.
The 3PAO is responsible for performing the independent assessment tests, to evaluate CSP cloud security offering against the FedRAMP security control baseline requirements, and assess that the implemented controls are effective and implemented as documented in the SSP. The 3PAO presents the testing results to the CSP, with information about vulnerabilities, threats, and risks discovered during the testing process, and guidance for mitigating the security weaknesses.
For identified gaps, the CSP needs to demonstrate that it has a documented POA&M plan in place for correcting each security weakness identified, including staffing, resources, and schedule.
CSP and 3PAO need to compile a final package that will include documents such as SSP, POA&M, test plans, scan results, and other supporting documents, and submit to FedRAMP for authorization review. The Authorizing officials (AO) will make a risk-based decision on whether or not to authorize the system (cloud security offering). Once the authorization decision is complete, the authorizing official will provide authorization-letter to the CSP system owner. The CSP will receive the authorization to operate authorization letter(s) granted by a specific Government (Agency-ATO) or FedRAMP (P-ATO).
Enable a continuous monitoring system
FedRAMP is a continuous program, not a project with start and end dates. The CSP is required to implement continuous monitoring and continue to meet the FedRAMP requirements, maintain an appropriate risk posture associated with chosen security impact level.
This process helps identify the effectiveness of CSP’s deployed security controls over time and enables US Federal government and agency(s) to make informed and timely risk-management decisions. Any lapse in the implementing the rigor required for FedRAMP, throughout the authorization lifecycle, will impact CSP’s authorization(s).
The CSP must be able to showcase that its security posture and maturity remains robust, throughout the lifecycle of FedRAMP authorization process.
Collaborating with a consulting partner
Some of the key activities consulting partner can streamline in the above 5-step phase are:
- Support the CSP Customer in developing FedRAMP business cases,
- Partner with specific US federal agency,
- Document and maintain System Security Plan and baseline controls requirements,
- Perform the internal gap assessment,
- Support CSP to build the fully operational environment,
- Support CSP on 3PAO engagement,
- Support CSP to remediate the 3PAO findings,
- Support CSP to submit the authorization package,
- Maintain the ATO and meet FedRAMP Continuous monitoring requirements.
That is why we recommend CSPs to consider collaborating with an experienced consulting partner, providing support with end-to-end authorization process and more importantly the FedRAMP know-how.
As a final note, with the accelerated cloud adoption by US Federal government and agency(s), FedRAMP is here to stay.
About the author
Senior Consultant – Atos North America Digital Security Consulting, Big Data and Security (BDS)
Bala comes from a consulting and digital security background, with 25+ years of experience in supporting multiple NA customers and engagements. As a Senior consultant, Bala influences customer C-suite conversations, drives the cybersecurity strategy, governance, and technical consulting assessments, majority of which, was in healthcare and telecom space. In the consulting role, Bala also supports the internal business development teams to pursue cybersecurity opportunities, to develop and promote Atos digital security consulting practice and security solutions.
Bala is certified CISSP, CISA, CDPSE and holds 10 US patents.