FedRAMP is the Federal Risk and Authorization Management Program. It was created to ensure the security of cloud services and solutions used by U.S. government agencies. Any cloud service or solution provider must obtain authorization and comply with FedRAMP requirements if they collect, maintain, process, disseminate, or dispose of any federal information.
A federal government cybersecurity framework, FedRAMP provides a standardized approach to assessments, authorizations, and continuous monitoring of cloud services and solutions to ensure they meet security standards. Among the other goals of FedRAMP are to:
- Achieve consistent federal security authorizations based on agreed-upon standards for cloud service and solution authorizations.
- Eliminate duplication efforts and reduce risk management costs related to federal agencies’ procurement of cloud services and solutions.
- Ensure consistent application of cloud security practices across all services and solutions used by federal agencies.
- Expedite the deployment of secure cloud solutions throughout the federal government with reusable assessments and authorizations.
- Improve confidence in the security of cloud solutions and security assessments.
- Increase automation and use of near-real-time data for continuous monitoring.
As part of its efforts to facilitate the authorization of cloud providers, FedRAMP defines and manages a core set of processes to ensure effective, repeatable security for cloud services and solutions used by federal agencies.
These FedRAMP guidelines, which are regularly updated, help cloud services and solutions providers rapidly make changes to meet current requirements.
FedRAMP also established a marketplace to increase access to authorized cloud services. The FedRAMP Marketplace also provides a hub to support collaboration across federal agencies. In addition, it supports the open exchange of lessons learned, use cases, and tactical solutions for cloud security.
FedRAMP program basics
Key FedRAMP acronyms
To understand FedRAMP, it is also necessary to understand the meaning of the following key FedRAMP acronyms and their roles in the authorization process.
- PMO (FedRAMP Program Management Office)
The FedRAMP Program Management Office (PMO) oversees FedRAMP applications, authorizations, and continuous monitoring. It is managed by the General Services Administration (GSA).
- 3PAO (FedRAMP Third Party Assessment Organization)
A FedRAMP third-party assessment organization (3PAO) is an independent third party that assesses the security of a cloud provider’s services and solutions for risk. 3APOs are accredited through the FedRAMP 3PAO program for JAB P-ATO (Joint Authorization Board Provisional Authorization to Operate).
To secure accreditation, 3PAOs must demonstrate independence and the technical competence to test and document a cloud provider’s security implementations. Once authorized and accredited, 3PAOs are included in the FedRAMP Marketplace.
- JAB (FedRAMP Joint Authorization Board)
FedRAMP is controlled by a Joint Authorization Board (JAB). It includes the chief information officers and other representatives from:
- Department of Defense (DoD)
- Department of Homeland Security (DHS)
- General Services Administration (GSA)
- FedRAMP Authority to Operate (ATO)
A FedRAMP authority to operate (ATO) is a formal declaration by an agency authorizing the use of a cloud provider’s services or solutions. This declaration includes the acceptance of any risk by the agency. Cloud providers work directly with the agency’s security office and an Authorizing Official (AO) to obtain an ATO.
- P-ATO (FedRAMP Provisional Authority to Operate)
For a FedRAMP provisional authority to operate (ATO) P-ATO, the JAB provides a risk review of the cloud provider’s security authorization package. FedRAMP-ATO is achieved after assessment and approval by the JAB. It is a more stringent process only available after a cloud provider has achieved several individual agency ATOs.
Then, an accredited 3PAO independently tests, verifies, and validates the cloud provider’s security assessment package. If it passes, then the JAP can grant a P-ATO that includes details about the impact levels for which the cloud provider’s risk posture are acceptable.
- SSP (FedRAMP System Security Plan)
A FedRAMP System Security Plan (SSP) is a report created by a cloud provider that outlines their existing infrastructure and the security controls and measures the gaps they must address to meet their desired ATO.
- CIS (FedRAMP Control Implementation Summary)
A FedRAMP Control Implementation Summary (CIS) is documentation developed by a cloud provider that outlines the security responsibilities it would assume for the agency.
- SAP (Security Assessment Plan)
The cloud provider and a 3PAO prepare a Security Assessment Plan (SAP). Based on the SSP, the SAP details all procedures, methodologies, and tests used as part of the 3PAO’s audit.
- SAR (Security Assessment Report)
A 3PAO uses a Security Assessment Report (SAR) to present its audit results. The SAR details what was tested, what was not, what controls met compliance requirements, and what failed to do so. Also included in a SAR report are recommended remediation steps.
- POA&M (FedRAMP Plan of Action and Milestones)
A FedRAMP Plan of Action and Milestones (POA&M) outlines the specific security controls required for cloud services and solutions, the schedule for implementing them, and the milestones that will be used to measure progress. It tracks and reports on the progress of a cloud provider’s implementation of required security controls.
The POAM is also used to track any issues that arise during the certification process and to document the resolution of those issues. POAM management is critical for any cloud provider that is seeking FedRAMP certification.
FedRAMP governance bodies
FedRAMP is governed by several executive branch entities that work collaboratively to develop, manage, and operate the program. FedRAMP governing bodies include:
- CIO Council: Disseminates FedRAMP information to federal CIOs and other agency representatives through cross-agency channels and events.
- Department of Homeland Security (DHS): Manages the continuous monitoring strategy for FedRAMP. This includes maintaining data feed criteria, reporting structure, threat notification coordination, and incident response plans.
- FedRAMP Program Management Office (PMO): Manages the day-to-day operations of the FedRAMP program and its continuing development.
- Joint Authorization Board (JAB): The FedRAMP program’s primary governance and decision-making body.
- National Institute for Standards and Technology (NIST): Provides advice to the FedRAMP program related to Federal Information Security Modernization Act (FISMA) compliance requirements. NIST also assists in developing the standards for the accreditation of independent third-party assessment organizations (3PAOs).
- Office of Management and Budget (OMB): Issued the FedRAMP policy memo. The OMB defines new requirements and capabilities for the program in conjunction with the other governing bodies.
Three types of FedRAMP authorization
- Authority to operate (ATO)
- Provisional authority to operate (P-ATO)
- Tailored authorization
The FedRAMP authorization process
There are two ways to demonstrate FedRAMP compliance and obtain a FedRAMP authorization. The first path is to get a FedRAMP authorization to operate directly from a federal agency. The second is to receive a FedRAMP provisional authorization to operate (P-ATO) from the Joint Authorization Board (JAB). The authorization process always involves four main steps, regardless of which method is pursued.
The FedRAMP authorization process begins with the cloud provider documenting the implementation of security controls and categorizing their cloud services and solutions per FIPS 199. This categorization (e.g., Low, Moderate, High, or FedRAMP Tailored) will determine the required controls.
Next, the cloud provider must complete a system security plan and develop a security assessment plan by a FedRAMP-approved third-party assessment organization (3PAO). The System Security Plan (SSP) is then created. This is a roadmap for how the required controls will be implemented.
Additional documents required for the FedRAMP authorization process include a contingency plan, an incident response plan, and configuration management.
The assessment phase can begin once the SSP and other required documentation have been completed, reviewed, and approved. During this phase of FedRAMP authorization, a 3PAO will develop a security assessment plan (SAP). The SAP outlines the testing approach for the cloud service or solution.
After the SAP is approved, the 3PAO tests the implementation of the controls on a production-ready system and develops a security assessment report (SAR). It is important to note that the security assessment must be performed on a production-ready system. Assessments cannot be performed on a test or development system.
Then, the cloud provider develops a Plan of Action and Milestones (POA&M), which details corrective actions that will be taken to address gaps and security weaknesses.
During this phase, the federal agency reviews the SAR for authorization. If the requirements are met, the cloud provider will be approved, and the agency will issue the ATO letter.
Note that sometimes, federal agencies require additional testing before approving the SAR. For an ATO, the FedRAMP Program Management Office (PMO) decides the FedRAMP authorization based on a review of the SAR and related documentation. For P-ATO, the package is reviewed by the JAB. Upon approval by the PMO or JAB, the cloud provider is authorized to work with federal agencies.
Once an initial agency ATO or JAB P-ATO has been obtained, the cloud provider begins the continuous monitoring phase. During this phase, the cloud provider ensures that the required continues operating appropriately. Depending on the controls, monitoring occurs continuously, monthly, or annually. Reports based on monitoring the controls are sent to the authorizing agency to show continued FedRAMP compliance.
Why FedRAMP is important
Beyond being a requirement for any cloud provider wishing to work with federal agencies, FedRAMP is important because it ensures consistency in evaluating and monitoring the security of cloud services and solutions. The results include significantly improved:
FedRAMP eliminates the need for multiple levels of security review for each cloud service provider.
FedRAMP reduces the time and effort required to set up and maintain cloud-based services.
- Risk management
FedRAMP compliance requires authorized organizations to identify, assess, and manage risks proactively.
FedRAMP compliance requires organizations to implement proscribed security controls based on their impact level.
Requirements for FedRAMP compliance
FedRAMP compliance requires cloud services and solutions to meet the specific security levels based on their use and the types of information they process and store. Below are the minimum requirements to achieve FedRAMP compliance:
- Complete FedRAMP documentation, including the FedRAMP System Security Plan (SSP)
- Implement controls in the appropriate impact level
- Undergo an assessment by a FedRAMP Third Party Assessment Organization (3PAO)
- Remediate any gaps found during the 3PAO assessment
- Develop the Plan of Action and Milestones (POA&M) report
- Obtain Agency ATO or Joint Authorization Board (JAB) Provisional ATO (P-ATO)
- Implement a Continuous Monitoring (ConMon) program to include monthly vulnerability scans
Types of FedRAMP compliance
The FedRAMP program details three categories of compliance:
- Security compliance
Covers authentication and authorization, access control, encryption, and incident response
- Operations compliance
Covers system availability and performance, software patching, monitoring, and backups
- Documentation compliance
Covers system and service documentation, data flow diagrams, and authorization packages
FedRAMP compliance is based on different kinds of risk in three distinct areas: Confidentiality, Integrity, and Availability, commonly referred to as the CIA triad. This standard model forms the basis for developing security systems.
Protections for personal and proprietary information
Protections against modification or destruction of information
Timely and reliable access to data
The four FedRAMP impact levels are:
- High Impact Level
FedRAMP High includes about 425 cybersecurity controls. Organizations that qualify for FedRAMP High are primarily in law enforcement, emergency services, financial services, and healthcare systems. For these organizations, the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
- Moderate Impact Level
FedRAMP Moderate is based on about 325 controls. About 80% of FedRAMP-authorized organizations are at the Moderate impact level. For these organizations, the loss of confidentiality, integrity, or availability could seriously affect organizational operations, assets, or individuals. Nearly 80 percent of approved FedRAMP applications are at the moderate impact level.
- Low Impact Level
FedRAMP Low includes about 125 controls. For organizations that qualify for FedRAMP Low, the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, assets, or individuals.
- Low Impact SaaS (FedRAMP Tailored or Ll-SaaS)
FedRAMP Tailored is a subset of low impact that includes about 36 controls. This impact level is for SaaS applications that do not store personally identifiable information beyond basic log-in information (e.g., usernames and passwords). FedRAMP Tailored-level organizations have low-risk systems, such as collaboration tools, project management applications, and tools that help develop open-source code.
FedRAMP vs. The Risk Management Framework (RMF)
FedRAMP is the program that authorizes cloud providers’ services and solutions for use by public agencies. The Risk Management Framework (RMF) is part of NIST SP 800-37, which federal agencies must follow to have their IT system authorized to operate.
The FedRAMP security assessment framework (SAF), which helps to standardize the security assessment, authorization, and monitoring of cloud products and services, is based on the NIST SP 800-37 RMF and includes some control enhancements relevant to cloud security that NIST 800-37 does not.
FedRAMP process areas vs. NIST SP 800-37 RMF process areas
|NIST SP 800-37
FedRAMP and other federal compliance programs
FedRAMP draws its requirements from several other federal compliance programs. Below are examples of what FedRAMP incorporates from other federal compliance programs.
- Federal Information Processing Standards (FIPS) 140-2
FedRAMP pulls from FIPS 140-2 the requirements for federal agencies and contractors when implementing cryptographic modules and encrypting data.
- Federal Information Processing Standards (FIPS) 199
From FIPS 199, FedRAMP uses the security impact levels, and associated requirements, for security, privacy, and risk management.
- NIST Special Publication 800-37
NIST SP 800-37’s Risk Management Framework (RMF) provides the regulations used by FedRAMP to direct how organizations implement risk assessment and management controls.
- NIST Special Publication 800-53
NIST SP 800-53 provides the security controls that FedRAMP requires organizations to implement to properly secure their systems.
FedRAMP authorization: Assurance of security beyond the federal government
For many organizations, FedRAMP performs double duty in terms of gaining customers’ trust and confidence. Achieving FedRAMP authorization is a powerful validation of the security of the cloud providers’ service or solution. Beyond meeting the minimum requirements to provide cloud services or solutions to federal agencies, FedRAMP shows non-government organizations that the provider is serious about security and has validated its efficacy with rigorous reviews and testing.
Becoming FedRAMP authorized offers cloud service or solution providers a number of other benefits, including:
- Ability to leverage FedRAMP to meet other agencies’ security assessments and requirements
- Real-time security visibility
- Savings on cost, time, and resources
- Uniform risk-based management
The FedRAMP process takes time and effort, but FedRAMP authorization has proven to be a worthwhile effort for the cloud service and solution providers who have achieved it.
You might also be interested in:
Take control of your cloud platform.
Learn more about SailPoint Identity Security.