Choosing a FedRAMP Hosting Provider
When it comes to cloud computing solutions for your company, there are thousands of capable service providers available to help. However, you may find yourself needing a vendor authorized to operate cloud services for all or some federal agencies – in other words, a provider who is in alignment with and meets the strict federal standards of the Federal Risk and Authorization Management Program (FedRAMP).
FedRAMP has changed the way the cloud computing industry and government agencies look at security. Yet most cloud providers have aligned to these federal standards. Further, not all FedRAMP solutions provide the same control coverage, implying that some FedRAMP solutions shoulder more of the responsibility than others and therefore provide more value to the customer than others.
The Federal Risk and Authorization Management Program (FedRAMP) was established in 2011 as part of the Cloud First policy, a government initiative to encourage agencies to utilize cloud-based alternatives for system infrastructure in consideration of cost, resiliency, resources, and specifically security. FedRAMP is basically an augmentation of the Federal Information Security Management (FISMA) Act of 2002, which established an emphasis by the federal government on information security.
However, the controls inside FISMA are geared towards physical space and servers – not virtualization. FedRAMP picks up that slack by being geared towards mode dependencies and cloud resources while ensuring security and compliance frameworks established by FISMA are met.
Why FedRAMP is Important?
FedRAMP is a standardized approach for assessment, authorization, and monitoring of cloud products and services for the government. It has a significant impact on government agencies, cloud service providers (CSPs), contractors, and any service providers offering cloud services to the federal government. These organizations would either need their own FedRAMP Authority to Operate (ATO), or work with a FedRAMP-approved provider.
… From the Government’s Position
FedRAMP is important to the government for several reasons. The government must consider cost efficiencies and models laid out in the Cloud First Policy, the elasticity benefits associated with virtualized services, the automation of secure systems (which removes slow procurement processes), and the benefits of shifting security and compliance responsibilities to the CSP. Instances of information security breaches have shed light on an issue that is garnering more and more attention from those in federal positions, who recognize it is imperative to keep ahead of the problem instead of remaining reactive.
… From the CSP’s Position
The federal government is the largest single producer and disseminator of information in the United States. As a result of the Cloud First Policy, FedRAMP was created to govern and ensure sufficient information security in cloud-based offerings for federal agencies. Being FedRAMP authorized is a must if you do any business with the government; it adds credibility to your organization, allows you to leverage cloud offerings, and ensures you can bid on government work. When bidding on such work, one of the first questions you’ll be asked is, “Are you FedRAMP compliant?” … That’s how important FedRAMP is for CSPs.
Benefits of Selecting a FedRAMP-Compliant CSP
The benefits of leveraging a FedRAMP-authorized CSP is that they implement the security controls you otherwise would have to implement. Whether it’s Infrastructure as a Service (IaaS), Software as a Service (SaaS), or Platform as a Service (PaaS), every solutions provider will give you a different FedRAMP-approved offering. The key to success is to find a vendor option that implements the right security controls and provides the right services so that you don’t get caught supplementing the CSP’s controls with further controls in order to meet your own requirements.
A FedRAMP-authorized CSP will no doubt have managed integration and advanced security assessments, but not all provide managed support or on-demand support on the entire hosting environment, including on the application layer. These additional services differentiate one FedRAMP-authorized CSP over another.
“The key to success is to find a vendor option that implements the right security controls and provides the right services so that you don’t get caught supplementing the CSP’s controls with further controls in order to meet your own requirements”
How the FedRAMP Process Works
Once your organization achieves a FedRAMP ATO from an agency, you can reuse the preexisting FedRAMP framework provided by that agency, subsequently either adding or mitigating certain controls. A good FedRAMP-authorized CSP will already have covered a significant percentage of those controls which you will be able to reuse to achieve your own authorization. The more controls the CSP provides, the fewer your organization will need to implement.
When applying for your own FedRAMP ATO, a good CSP will help you cover a significant percentage of the required controls. Your FedRAMP Third Party Assessment Organization (3PAO) will audit evidence to make sure your offering is not deficient. The more controls your CSP implements, the more you will be able to reuse and the less work you will ultimately be responsible for.
There are seven main activities involved in getting your system FedRAMP authorized:
- Information Categorization – Only low and moderate impact systems can go through the FedRAMP process. These systems have to be FIPS 199 based (meaning all the data is encrypted).
- Security Controls – For a low impact system there are roughly 120 controls, which are based on NIST 800-53 standards. For a moderate impact system there are roughly 300 controls, also based on NIST 800-53 standards. High impact systems have around 450 controls.
- System Security Plan (SSP) – The FedRAMP SSP template is approximately 350 pages. In this document, you’ll describe your cloud service offering, responding to each of the 120/300/450 controls and include supporting documentation.
- SSP Supporting Documentation – This entails system policies and procedures, a user guide, an e-Authentication worksheet, and a privacy threshold analysis/privacy impact assessment.
- Risk Assessment – This is similar to a FISMA assessment and examines the threats to and vulnerabilities of your system.
- Independent Assessment – This requires the use of roughly 60 3PAO to test the applicable controls in your SSP (e.g., penetration testing of the infrastructure).
- Certification & Authorization – Authorized by sponsoring agency, this is similar to a FISMA certification or accreditation. Once you get an ATO from a sponsoring agency, you can leverage your approved system to service government requests. You can also achieve a provisional ATO (P-ATO) via a JAB.
At this point in the process, you’ll have to deal with the ever-changing landscape of cloud IT. That means you’ll go through continuous monitoring cycles for your system (this is all documented in your SSP). You will have to perform a full assessment of your control sets in your first round of monitoring. Unless your eligible for sampling on a control, this entails showing evidence for every single device you have in your system. For example, if you have 100 hypervisors and 50 storage nodes behind them, you’ll be generating 150 pieces of evidence for that once control piece. Again, this is where a good CSP comes into play – allowing you to inherit those controls. The more controls they cover, the fewer you have to implement yourself.
FedRAMP is about security and compliance. It is an unwieldy process and extensive investment of time, money, and resources. The average time to get through the entire process is over one year.
We know what it takes to be FedRAMP authorized. We’ve been through it, and understand that the hard work doesn’t end when you achieve approval. Working with a FedRAMP CSP, your agency can focus on content delivery rather than system administration, cyber-security, and the ever-changing realm of compliance standards. We help make this in-depth security assessment process as quick and easy as possible.
If you want to do business with the federal government, you have to be FedRAMP authorized. Despite being an onerous process, you have to start somewhere. Contact us today to see how we can help you meet your own compliance requirements or potentially achieve your own FedRAMP authorized SaaS offering.