What is FedRAMP?
FedRAMP (Federal Risk and Authorization Management Program) is an assessment and authorization process which federal agencies use to ensure the security of cloud computing services and products. If you belong to a cloud company that wishes to provide services in the federal space, you could work towards becoming a FedRAMP Authorized Cloud Service Provider (CSP). This authorization will likely improve your chances of winning any government contract, but is required for consideration for federal agencies.
FedRAMP is based on the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Security and Privacy Controls, as well as low/moderate categorization of Federal Information Processing Standard 199 (FIPS 199). SP800-53 is the control set that is used by federal agencies themselves to meet the FISMA regulations and is currently being updated to revision 5. The Federal information Processing Standard (FIPS 199) is the standard for document processing, encryption algorithms and other information technology standards for use within non-military government agencies and by government contractors and vendors. FedRAMP standards are more stringent than NIST.
Why should a cloud service provider aim for FedRAMP authorization?
If you are a cloud service provider and wish to sell your services to federal agencies, then you need to be aware of FedRAMP. The federal government spends billions of dollars every year on cloud services. FedRAMP certification brings about a level of standardization that will allow you to compete on a more even playing field with other authorized cloud service providers. Your Chief Information Security Officer (CISO) would be a key player to coordinate this initiative for your company.
Diagram: as seen on fedramp.gov
How does a cloud service provider become FedRAMP Authorized?
To become authorized, you must go thru an accreditation process, which includes being assessed by an approved Third Party Assessment Organization (3PAO).
If you, as a cloud services provider, decide that you want to obtain FedRAMP authorization for your company, here are some basic steps that you can follow:
- Start by reviewing documents, templates and other resources at the FedRAMP site.
- Complete the FedRAMP training.
- Submit a CSP information form to the program management office. This form is available on the FedRAMP website.
- At this point, the office will work with you and your team to review preliminary information, establish a partnership with a Third Party Assessment Organization (3PAO), and determine if authorizations will proceed.
- You would need to ensure by this time, that your service offering has implemented the necessary security controls as described in FIPS 199.
- Your company would then pursue provisional authorization as you work to be fully authorized. During this authorization period, you would have an Authorization Kick-off meeting and an assessment, when you would need to complete reports and deliverables as demanded by the process.
- This material is then reviewed by the authorizing party, and if accepted, you could become an FedRAMP authorized cloud service provider.
Once authorized, you will need to submit monthly continuous monitoring deliverables and reports to the agencies that are using your services. You must also complete an annual Security Risk Assessment to maintain proper Risk Assessment Status and update documentation in the FedRAMP secure repository.
At present, while 24by7Security is not yet a 3PAO, we can assist you in getting ready for authorization by conducting an assessment of current controls in place for your cloud environment and assisting with putting in controls to meet SP800-53 requirements. Don't Risk it, Secure it!