The federal government leans more heavily on technology providers, including cloud computing platforms that support data storage, processing, and office application solutions. Accordingly, the question of data security is live, and the government’s response is to implement the FedRAMP authorization requirement.
Like many other government programs, FedRAMP can threaten to bury the under prepared provider under a mountain of documents. Here, we’ll briefly cover the basics of FedRAMP documents and required reporting.
What Is FedRAMP Authorization-to-Operate (ATO)?
FedRAMP authorization is the process a Cloud Service Provider (CSP) undergoes to work with federal agencies based on requirements in an official RFP. This involved process uses NIST standards within an impact-level framework. More sensitive information storage and processing needs to require more intense security controls–and a much more involved authorization process.
There are two paths to FedRAMP ATO, each with unique requirements and documentation expected from the CSP. These two paths include:
The Agency Process
The agency process kicks off when a specific government agency seeks a CSP to support their operations. Their RFP will include a delineation of needs and an impact level based on the sensitivity of the data.
Once the agency formalizes a relationship with a potential CSP, the provider will undergo its FedRAMP authorization process. This process includes the following stages:
- Readiness Assessment: The readiness assessment is an optional (but recommended) preparatory step in which the CSP can work with an accredited 3PAO to assemble a Readiness Assessment Report, demonstrating the business’s ability to complete the process.
- Pre-Authorization: The company prepares for its security assessment at this stage. That means working to implement security measures, onboarding with the FedRAMP Program Management Office (PMO), and conducting a kick-off meeting with the agency to discuss their offerings, their security, the controls they must implement, compliance gaps, and a record of their milestones.
- Security Assessment: The CSP undergoes a security audit from their 3PAO based on a Security Assessment Plan (SAP), developing a Security Assessment Report (SAR) of their findings. Finally, if required, the 3PAO will create a Plan of Action and Milestones (POA&M) for any necessary remediation requirements.
- Agency Authorization: Upon the 3PAO’s approval for authorization, the agency will review the SAR and POA&M, implement and test system controls and risk analysis of the CSPs system. Upon approval, the agency writes an Agency ATO letter approving the CSP for final authorization.
- Continuous Monitoring: After authorization, the CSP in question must maintain continuous monitoring operations, delivering periodic security updates and any updates to the POA&M.
The JAB Process
The Joint Authorization Board (JAB) governs FedRAMP requirements and includes members from the Department of Defense, the Department of Homeland Security, and NIST. CSPs can apply to undergo this process to earn their Provisional ATO (P-ATO) under close supervision and support from the JAB. This path, while not enough to authorize the CSP to work with any specific agency, allows them to provide this information to an agency as part of their authorization package.
The steps for a P-ATO are similar to an agency ATO, with a few minor differences:
- FedRAMP Connect: Not every CSP can pursue a P-ATO. The JAB only prioritizes around 12 CSPs per year through the FedRAMP Connect program.
- Readiness Assessment: Unlike the agency ATO path, FedRAMP readiness is expected by the JAB for a P-ATO.
- Full Security Assessment: After the CSP has been selected for the FedRAMP Connect program and earned a FedRAMP Ready designation, they can undergo the full security assessment.
- JAB Authorization: The JAB will work closely with the CSP and their 3PAO to determine readiness. Upon JAB approval (after an extensive review of the security assessment and additional security and risk audits–all with monthly deliverables, including scanned reports and POA&M documentation), the CSP will earn their P-ATO.
- Continuous Monitoring: The CSP must provide monthly monitoring reports directly to the JAB and any agency they might work with.
What Documents Are Required for FedRAMP Authorization?
Regardless of the path, a CSP must expect to complete and deliver several lengthy, involved reports. Some core documents required for either an ATO or P-ATO designation include:
- Readiness Assessment Report (RAR): These reports are intended to help CSPs understand their readiness–more importantly if they can undertake the FedRAMP process. This includes creating an inventory of their offering and showing that they can implement their technical infrastructure towards their ATO. CSPs will often complete this report with tier 3PAO, which may require some evidence gathering by the 3PAO.
- System Security Plan (SSP): Possibly the most detailed report provided by the CSP. This report documents any process, technology, or solution in the CSP’s offering, responsibilities in the organization, dates and times of control implementation, and how a security control or solution addresses FedRAMP requirements. This report is rather large, with the baseline template floating around 300+ pages.
- Control Implementation Summary (CIS): The CIS serves as a more detailed inventory of FedRAMP-specific controls, including implementation responsibility and status for all controls. Each CIS includes individual lists of these controls, inherited control lists, and examples for quick report completion.
- Security Assessment Plan (SAP): This report, created by the 3PAO in conjunction with the CSP, their SSP and their CIS, outlines the scope and process that the 3PAO will use to test the CSP for their full security assessment. The information from this will officially be gathered by the 3PAO during the kick-off meeting, provide drafts to the CSP, and coordinate their testing.
- Security Assessment Report (SAR): Once the 3PAO completes their assessment of the CSP, they compile the SAR (responding directly to their criteria and scope established in the SAP) to speak directly to the CSP’s compliance with FedRAMP. This report will include controls that fail under examination, potential mitigating factors, and how controls address specific security requirements and other vulnerabilities.
- Plan of Action and Milestones (POA&M): If the CSP has controls that don’t quite meet FedRAMP requirements but can meet them with proper implementation or remediation, the 3PAO and the CSP can put together a POA&M that outlines these issues, appropriate steps to remediate those controls, and a specific timeframe for completion of that process.
It’s hard to truly encompass the complexity of these documents. While the list seems straightforward, each document can span hundreds of pages and require several communication layers to deliver correctly.
Streamline Your FedRAMP Documentation with Continuum GRC
Reporting, documentation, and communication within FedRAMP is itself a full-time job. Many of our clients have run into issues where challenges with documentation, whether collecting all the right information or simply organizing their paperwork, can delay the process by weeks or months.
The Continuum GRC platform streamlines this entire process. Our consultants, working with you and our cloud platform, help by taking over documentation and submission for you. With correct templates, reporting, and automated support, you can reduce the time and complexity of FedRAMP documentation from months to days.
Continuum GRC is cloud-based, always available and plugged into our team of experts. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:
- NIST 800-53
- DFARS NIST 800-171
- SOC 1, SOC 2, SOC 3
- PCI DSS 4.0
- IRS 1075
- COSO SOX
- ISO 27000 Series
- ISO 9000 Series
And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.
Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.