Federal Risk and Authorization Management Program (FedRAMP)

FedRAMP is one of the processes which is used for standardizing the security offered by Software-as-a-Service (SAAS) Providers. It is an assessment which is done through a continuous monitoring process. This process is directed by Office of Management and Budget. Which is owned by U.S federal agencies for benchmarking security products and services. FedRAMP was developed as a result of collaboration of cloud security and cloud experts from National Institute of Standards and Technology (NIST), General Services Administration (GSA), Department of Defence (DOD), Department of Homeland Security (DHS), Office of Management and Budget (OMB), the federal Chief Information Officer (CIO) Council and its working groups as well as private industry. Internal processes are tested by many third-party audits. These audits are effective in managing the security within their facilities where data is stored.

The bottom line of Federal Information Management and Security Act (FISMA) points to achieve most of the cybersecurity and focus lies in "Risk-based policy for cost-effective security." Security here means protecting the data and information safe from unauthorized access, use, disrupt, modify. This provides integrity, confidentiality, and availability.

More detail about FedRAMP

What is FedRamp ?
Fed Ramp is an assessment and authorization program which keeps control on the security offered by Software-as-a-Service (SaaS) providers to their clients (Security here means the protection of unauthorized access, disruption, and modification of customer’s data). U.S. federal agencies which are directed by the office of management and budget are looking for this security check. The federal information of security management ACT of 2002, is a law designed as per title III of E-Government Act of 2002 (Pub.L. 107–347, 116 Stat. 2899). This process is continuous and re-assessment is done every two years. All the assessment here is done in such a way that Cloud Security Provider (CSP) must meet high standards of independence and performance, especially quality, completeness, and timeliness.

What are the Types of FedRAMP Compliance ?

There are three ways for Cloud Service Provider to be FedRAMP Compliant:

  • Joint authorization board (JAB) Provisional Authorizations (JAB P-ATOs) Path. In this type of FedRAMP compliance cloud service providers with a FedRAMP P-ATO path are reviewed by the FedRAMP PMO, assessed by a FedRAMP accredited 3PAO and received a P-ATO from, DHS, DOD, and GSA CIOs.
  • Agency FedRAMP Authorizations (A-ATOs) Path.CSP which is choosing an option of an Agency Authorization path for FedRAMP compliance, are reviewed by a customer Agency CIO or Delegated Authorizing Official(s). This review helps in receiving FedRAMP compliant ATO which has been verified by the FedRAMP PMO.
  • CSP Supplied Packages Path. Cloud service provider who has chosen CSP Supplied Package as an option for FedRAMP compliance must have submitted to the FedRAMP PMO a completed Security Assessment Package. This CSP supplied package must be assessed by a FedRAMP accredited 3PAO.
What are the requirements of FedRamp Compliance ?

The Cloud First Policy needs that, all federal agencies should use the FedRAMP process to conduct security assessments, authorizations, and continuous monitoring of cloud services. The FedRAMP program office has stated five requirements on basis of which FedRAMP compliance is achieved:

  • The cloud service provider (CSP) has been granted an Authority to Operate (ATO) by a Federal Agency.
  • The CSP addresses the FedRAMP security control requirements that are aligned to the NIST 800-53, Rev. 4 security control baseline for moderate impact levels.
  • All system security packages must use the required FedRAMP templates.
  • The CSP was assessed by an independent auditor.
  • The completed security assessment package is posted in the FedRAMP secure repository.
What is the advantages of FedRAMP Compliance?

The advantages of FedRAMP compliance are:

  • FedRAMP reduces the efforts, inconsistencies and cost inefficiencies, which is inbuilt in the current working model of enterprises.
  • Enterprise can offer security authorization which is up to the mark according to government standards.
  • The clients gain increased confidence in the security products which are delivered.
  • FedRAMP improves consistency in the adoption of security practices.
  • FedRAMP accelerates making of security solutions through reusing assessments and authorization.
How is FedRamp conducted ?

To achieve FedRAMP compliance specific steps are taken, these are listed below:

  • After an organization opts for security policy within 30 days, the CIO Council will provide the standard guideline of security controls and privacy controls for continuous monitoring from NIST special publication. These standard guidelines of security controls are included within FedRAMP security authorization requirements.
  • Within 60 days of this policy in effect, FedRAMP PMO will publish a concept of operations for the enterprise to adhere to FedRAMP PMO and is made available to executive departments and agencies and CSPs.
  • As soon as the company wishes to go through FedRAMP, within 90 days the company has to publish a charter which defines the governance model.
  • In 180 days of issuance of this policy, FedRAMP PMO will provide an initial operating capability of FedRAMP.
How can FedRAMP compliance be achieved by an organization?

There are two paths by which the CSPs can become FedRAMP-compliant:

The CSP can approach through the FedRAMP PMO as well as by seeking help from a sponsoring federal agency. If a CSP has an existing business with an agency or if a potential customer has interest then CSP can navigate the FedRAMP process directly with the agency by obtaining a sponsorship. If there is no sponsorship from an agency, CSPs must submit a request to the FedRAMP PMO and enter the queue of CSPs waiting for approval to begin a FedRAMP assessment.

Any of the above paths can be followed in order to become FedRAMP Compliant by the cloud service provider (CSP). The PMO path of compliance takes time since the waiting list is there, but the agency sponsoring route can be more difficult.

Registered third party and the agency involved must be consulted before choosing the option.

What are controls tested during FedRAMP Compliance ?

The cloud service providers need to check the controls if they want to undergo FedRAMP compliance. These controls are selected and implemented according to and in proportion with risks, especially by accessing threats, vulnerabilities, and impacts:

  • Deterrent controls: Whenever there are applications involved, their access is obtained to put security issues in a place. Whenever there is a threat of access by authorities which are unauthorized, these controls offer warnings. These warnings depict the access by other hacker or illegal access.
  • Preventive controls: The security issues regarding unauthorized access are on both sides, the cloud service provider side and the client side. There can be theft due to weak interfaces, infrastructure, and other issues. These controls strengthen the system by offering different protection environments like two-factor authentication and others thus reduce chances of fraud events.
  • Detective controls: In such a complex model of cloud computing, intrusions can be created by the lack of protection for VMs. Also, an intrusion is possible if users are keeping IDs in such places which are not safe and so on. These controls depict developing appropriate detection and protection systems by a cloud service provider.
What are policies tested during FedRAMP Compliance ?

Cloud service providers can operate on a scale and protect their usernames and passwords. There are few policies which are to be implemented in order to offer perfect service at affordable rates.

  • The first policy points to manage threats and to maintain the integrity of the network. Building powerful firewalls, competitive antivirus software, intrusion detection systems, and email filters and other such resources can be implemented by providers, which are tested during the FedRAMP compliance.
  • The second policy that is tackled is reducing internal risk by defining the appropriate use of network resources.
What happens when CSP fails to pass through FedRAMP process ?

CSP opts for the FedRAMP process of compliance during which many processes the system has to go through. If an organization fails to go through this process then there are certain corrective actions which can be taken in a given time frame.

  • Internal corrective action: The corrective action plan must be provided to FedRAMP within one week of notice of the failures to comply with FedRAMP. Notification is sent to the JAB team on the issues and the CSP’s CAP and continued progress.
  • Formal corrective action plan: The CSP shall provide a corrective action plan, for the failures, which are noted by FedRAMP. This plan has to be sent within first week of receipt of letter from the director. It must be signed by system owner and it must be agreed by FedRAMP. This corrective plan has to be sent to FedRAMP secure repository.
  • Suspension: A letter will be sent to the CSP by FedRAMP director, within a week. The time frame will be allotted in which the CSP will produce the corrective action plan and this plan will be reviewed. The necessary actions will be documented and letter will be posted in FedRAMP secure repository.
  • Revocation: FedRAMP committee will produce a letter to CSP notifying CSP of possible P-ATO revocation. JAB may decide to have a formal P-ATO review initiated by the FedRAMP director to determine if the risk level requires revocation of JAB P-ATO. The CSP shall provide a corrective action plan to FedRAMP including a time period agreement to fix the specific failures noted by FedRAMP.
What are the steps taken if authorization is done through an agency?

Authorization is done through the agency by almost 65 percent of companies. This is an option to obtain FedRAMP compliance.

  • Determine who is the agency.
  • The resources must be decided: like who is the technical reviewer (TR) assigned to the authorization process.
  • Develop an action plan. Map the authorization milestone and resources to specific dates. Provide to CSP to manage expectations and obtain the input. The FedRAMP PMO is also available to provide feedback on your timeline.
  • The authorization process should be a collaborative effort between the agency, CSP and 3PAO.
  • The regular discussion has to be conducted between FedRAMP PMO and CSP throughout the authorization process to ensure that risk is understood.
  • A PMO has to be appointed and engaged to provide clarification on FedRAMP authorization process or procedures.
What are the documents required and updated during FedRAMP?

The documents that are taken care of during FedRAMP are:

  • Privacy Impact Assessment (PIA).
  • FedRAMP test procedures and results.
  • Security Assessment Report.
  • System Security Plan.
  • IT system contingency plan.
  • IT system contingency plan (CP) test results.
  • Plan of action and milestones.
  • Continuous monitoring plan.
  • FedRAMP Control tailoring workbook.
  • Control implementation summary table.
  • Results of Penetration testing.
  • Software code review.
  • Interconnection agreements/ Service level agreements/ Memorandum of agreements.
What are controls which are not included in FedRAMP?

The controls that are not applicable for FedRAMP are:

The controls related to the provision and management of wireless services are not applicable to CSP’s implementation. This is applicable when no wireless network capability is implemented.

The controls are fully inherited and entirely the responsibility of the provider. These are not to be tested by CSP.