Site icon

Reusing FedRAMP Cloud Products

The cloud service ecosystem for FedRAMP authorization has been growing year over year, as has the demand for the reuse of cloud products across agencies. To facilitate cloud product adoption across different agencies without compromising security and usability, FedRAMP provides a quick process to help reuse these services.

 

What Does it Mean to “Reuse” a Cloud Product in FedRAMP?

The FedRAMP process, by and large, is predicated on a direct relationship between federal agencies and cloud service providers (among other parties). It’s up to agencies to provide an authorization letter for CSPs that show that the provider meets the requirements of FedRAMP as they apply to that specific agency. 

Generally, the agency process involves a few standard steps:

Initially, this process seems to have a key drawback–that products authorized with a specific agency are limited to that agency. In many senses, this concern is very real. Organizations achieving their ATO with a particular federal agency cannot immediately sell their products to other agencies. 

One solution that FedRAMP incorporates is allowing a select group of cloud products to achieve their Provisional ATO (P-ATO) through the Joint Authorization Board (JAB). This program allows for a limited club of products (typically 12 or less) to enter into a general, rigorous authorization program that allows these products to serve a broader agency marketplace. This program is limited and requires additional assessments to fit specific agency needs.

Another solution is the FedRAMP process for reusing cloud product authorizations.

 

Reusing FedRAMP Authorizations for Cloud Products

There is clearly very little reason to have a program in place that requires every cloud product to undergo repeated assessments to provide the same service to different federal agencies. While key data management factors (confidentiality, integrity, and accessibility) will vary between different agencies, it’s not necessarily the case that these variances would be so radical as to make a product incompatible across agencies.

Therefore, FedRAMP includes a method by which agencies can reuse the security packages compiled by the cloud provider to give FedRAMP authorization within their specific operations. 

The process for reusing a cloud offering is relatively straightforward:

 

What Is Multi-Agency Continuous Monitoring?

This may seem like we are getting out into the weeds a bit… but bear with us. 

If a cloud provider has an offering on the FedRAMP Marketplace, and if that offering gains its Authorization across several different agencies, then there will be a mess of continuous monitoring responsibilities across those agencies. Monitoring isn’t a flat, standardized process; different agencies expect tests and results across different technologies and processes. 

Accordingly, having a multi-agency monitoring system ongoing means that there are a lot of extra hands in the pot. Instead, the goal of a multi-agency monitoring continuous monitoring group is to streamline all combined monitoring processes and stakeholders therein so that it’s that much easier for everyone (including the provider).

FedRAMP recommends a few specifics around monitoring collaboration groups to maximize accuracy and efficiency:

Additionally, the FedRAMP program also recommends having a charter in place to outline decision-making, rules of engagement, and policies for effective monitoring management. 

This process might seem like a lot, and it is. But, for massive enterprises fielding complex and popular cloud offerings, there may be quite a few stakeholders managing complex monitoring processes… in which case, having a steering committee can go a long way. 

 

Stay Knowledgeable and Prepared for FedRAMP with Continuum GRC

Whether you are a small business or a massive corporation putting your cloud product on the FedRAMP Marketplace doesn’t matter. If you want to expand and grow in the federal space, you’ll need strong and ongoing monitoring support to ensure that you can adjust as needed. 

Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

[wpforms id= “43885”]

Exit mobile version