As cloud service providers pursue their FedRAMP authorization process, they face a significant choice stemming from their ultimate goals in the federal space. This decision is based on how they are pursuing their working relationships with federal agencies and how well the provider is prepared for the rigorous FedRAMP assessment process. When a provider enters directly into a working relationship with a federal agency, they will almost certainly work through the FedRAMP “Agency” process.
What Is FedRAMP Authorization?
FedRAMP authorization is a designation given to cloud providers who have completed the assessment criteria requirements necessary to work with federal agencies. Any CSP working with a federal agency, whether as a managed service provider, storage and archival solution, or business platform, must meet FedRAMP minimum requirements to be considered “authorized” to work.
The criteria for the designation of “FedRAMP Authorized” fall under a few unique criteria:
FedRAMP Authorized providers must meet security control requirements defined under NIST Special Publication 800-53, “Security and Privacy Controls for Information Systems and Organizations.”
The scope of any particular provider’s responsibility will fall under one of three “Impact Levels” determined by the agency through an assessment of the kinds of data they will need to be supported. These impact levels include:
- Low Impact: Unauthorized disclosure of data will result in a limited adverse effect on the confidentiality, integrity, and availability of that information. Data at low impact levels may be publicly available via the Freedom of Information Act but is generally considered sensitive enough to protect in general practice. FedRAMP Low Impact designation will include implementing 125 controls from NIST 800-53.
- Moderate Impact: Unauthorized disclosure of information in a Moderate system could cause significant harm to an agency, its operations, and the constituents it represents. This harm can, and often will, include financial damages and physical harm, not including the loss of life. FedRAMP Moderate Impact designation will consist of implementing 325 controls from NIST 800-53.
- High Impact: Unauthorized disclosure of information in High Impact systems will cause severe or catastrophic harm to an agency, its operations, and its constituents. This can include significant financial loss and physical harm (including loss of life). FedRAMP High Impact designation will include implementing 421 controls from NIST 800-53.
Under FedRAMP Authorization requirements, self-assessment is completely disallowed. Instead, every provider seeking an authorization must undergo audits conducted by certified Third-Party Assessment Organizations (3PAO). These assessors are certified and monitored by the FedRAMP PMO, with listings placed on the FedRAMP Marketplace.
Initial authorization isn’t the last stop on a provider’s journey. Unlike other regulations or standards that call for annual (or longer) self-reporting or assessments, FedRAMP includes ongoing 3PAO assessments and a continuous monitoring program conceived of and implemented upon authorization.
Working with Agencies vs. Working with JAB
Provider authorization isn’t a matter of proceeding through checklists. The type of work, as well as the needs of the agency, will dictate the level of authorization (these needs and the associated impact level will be included in the agency’s RFP).
Thus, the path through authorization will depend on the working relationship (if there is one) between the government agency and the cloud provider:
- The Agency Path: The most common path to authorization, the agency path starts with an agency releasing an RFP and eventually partnering with a cloud provider. At this juncture, the agency works closely with the 3PAO and the cloud provider to move that provider to authorization.
- The JAB Path: The JAB path involves providers without direct agency partnerships seeking a generalized authorization path via the Joint Authorization Board (JAB). This approach will allow providers to get broad authorization and hone their capabilities more specifically for agencies when they compete for RFPs.
The agency process prepares a provider to work with a specific agency. The JAB process is a broader authorization process that will still require refinement for agency-specific contracts.
What Are the Stages of the Agency Authorization Process?
The agency path to authorization begins with an agency and a provider deciding to work together. The agency will support and monitor the agency and its 3PAO as they progress. Ultimately, they will provide an Authority to Operate (ATO) stating that the provider meets the minimum requirements for FedRAMP and the agency’s needs.
The path toward ATO, as defined by the FedRAMP PMO, are:
- Readiness Assessment: As an optional first step, agencies can undergo an initial readiness assessment. They will work with their 3PAO to complete a Readiness Assessment Report (RAR) documenting the provider’s ability to meet FedRAMP requirements. Upon completion, the provider is labeled “FedRAMP Ready” and listed on the FedRAMP Marketplace. Note that readiness does not designate an ATO but shows agencies looking to work with CSPs that an organization can undergo assessment.
- Pre-Authorization: At this stage, the CSP prepares to undergo the process while the agency formalizes the relationship between the two. It is assumed at this point that the CSP has a fully-built cloud system and compliance and leadership teams for FedRAMP authorization. The CSP must also complete the CSP Information form for their program intake. At this juncture, the agency will determine what data will be included in CSP’s contract and how that will shape the Impact Level.
- Full Security Assessment: In the proper authorization process, the CSP will undergo their full security assessment with the 3PAO. This stage will include the CSP’s completion of the System Security Plan (SSP), the 3PAO’s completion of the Security Assessment Plan (or SAP, completed before the assessment) and the Security Assessment Report (or SAR, completed after the assessment), and the Plan of Action and Milestones (POA&M) as needed.
- Agency Authorization Process: The agency will review material, including a potential review of the SAR with the FedRAMP PMO. The agency will perform a select test of customer-facing controls and conduct a risk assessment. The agency will issue their ATO letter upon test results and risk assessment acceptance. The provider will upload an Authorization Package Checklist that includes the SSP, POA&M, and ATO letter, while the 3PAO will upload the SAP and SAR documents.
- Post Authorization: After the ATO, the provider must give agency customers the required reports and documents related to their necessary vulnerability scans, annual assessments, incident reports, and POA&M requirements.
Streamline Your FedRAMP Agency Authorization with Continuum GRC
Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under StateRAMP and make it an easy and timely part of business in the public sector. It is always available and plugged into our team of experts. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:
- NIST 800-53
- DFARS NIST 800-171
- SOC 1, SOC 2, SOC 3
- PCI DSS 4.0
- IRS 1075
- COSO SOX
- ISO 27000 Series
- ISO 9000 Series
And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.
Continuum GRC is a proactive cyber security®, and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.