The Federal Risk and Authorization Management Program (FedRAMP) provides U.S. federal agencies and their vendors with a standardized set of best practices to assess, adopt, and monitor the use of cloud-based technology services under the Federal Information Security Management Act (FISMA).
Simply put, FedRAMP is a program to standardize FISMA compliance and promote the adoption of secure cloud technologies among U.S. government agencies. These technologies include SaaS, PaaS, and IaaS solutions, plus their providers.
Under FedRAMP, “agencies” means all federal government departments and offices that consume cloud solutions, while “vendors” means any cloud service provider (CSPs) and independent software vendor (ISVs).
The goal of FedRAMP is to protect government data in cloud environments and strengthen agencies’ IT security. The program requires all cloud systems that process or transmit government data to include security controls that comply with FedRAMP standards. These controls span multiple areas including access control, configuration management, contingency planning, and risk assessment.
Additionally, the security management of these cloud systems must use a risk-based approach. Federal agencies can identify and assess security risks and develop appropriate risk mitigation strategies by adhering to the processes, procedures, and controls specified in FedRAMP.
FedRAMP standards are jointly implemented and governed by the U.S. Department of Homeland Security (DHS), the Department of Defense (DoD), the General Services Administration (GSA), and several other entities. The program’s day-to-day operations, however, are managed by the FedRAMP PMO (Program Management Office).
FedRAMP Security and Risk Impact Levels
FedRAMP controls are based on controls defined by the National Institute of Standards and Technology (NIST), in a standard known as NIST SP 800-53. The number of controls that a cloud service provider (CSP) must implement depends on what sort of data and IT projects it wants to handle; the more sensitive the data, the higher the risk level a CSP must achieve. FedRAMP defines three risk impact levels – low, medium, and high – and for each one, a CSP is evaluated based on three security objectives:
- Confidentiality
- Integrity
- Availability
Also known as the “CIA Triad”, these objectives govern how cloud systems are assessed and categorized.
Low impact
This risk level is best suited for cloud systems where the loss of CIA would cause limited harm to a federal agency’s operations or assets. These systems usually do not store mission-critical or sensitive data such as personal identifiable information (PII).
Moderate impact
Moderate-impact cloud systems are those where the loss of CIA would likely cause serious harm to an agency’s operations or assets. For example, it could result in significant operational damage, operational disruptions, or financial losses. These systems account for roughly 80 percent of applications for FedRAMP authorization.
High impact
The high impact level applies to cloud offerings that process or store the government’s most sensitive data. The loss of the confidentiality, integrity, or availability of this data could bring catastrophic harm to the agency and any individuals associated with it (such as citizens).
The FedRAMP Security Assessment Framework and the NIST Risk Management Framework
The FedRAMP security assessment framework (SAF) helps to standardize the security assessment, authorization, and monitoring of cloud products and services for any agency that uses them. The framework’s “do once, use many times” structure simplifies the process for agencies conducting security assessments and creating process monitoring reports.
The SAF is a critical document since it is used by multiple entities during the FedRAMP assessment and authorization process. This includes:
- Federal agencies
- CSPs including large providers such as Amazon Web Services (AWS)
- FedRAMP Joint Authorization Board (JAB)
- Third-party Assessment Organizations (3PAOs)
The FedRAMP SAF is based on the NIST SP 800-37 risk management framework (RMF) for information systems and organizations, although it also includes some control enhancements relevant to cloud security that NIST 800-37 does not.
FedRAMP simplifies the NIST RMF by creating four process areas:
- Document
- Assess
- Authorize
- Monitor
These areas encompass the six steps detailed within NIST SP 800-37:
- Categorize
- Select
- Implement
- Assess
- Authorize
- Monitor
These process areas and steps are explored in further detail in the next section.
FedRAMP Risk Management: Process Areas Based on NIST RMF
The NIST SP 800-37 Risk Management Framework (RMF) to Federal Information Systems serves as one of the foundations for risk assessment under FedRAMP.
The NIST RMF can apply to all kinds of information systems and organizations – including private businesses and on-site IT systems rather than those in the cloud. FedRAMP simplifies the RMF and tailors it to federal agencies, their CSP vendors, and their cloud computing products and services.
The FedRAMP RMF incorporates four process areas:
1. Document
This step incorporates steps 1-3 of the NIST RMF: Categorize, Select, Implement.
In this phase, a CSP performing the risk assessment will categorize the cloud-based information system, select the security controls, and implement and document these controls in a System Security Plan (SSP).
System categorization starts by determining the types of information that will be contained within the system; from there, you can determine the system’s risk impact level. Once that’s done and you know your risk impact level, you can select the FedRAMP baseline security controls appropriate for that level. The baseline provides the minimum controls the CSP must implement to meet FedRAMP’s requirements for low or moderate security impact level systems.
After selecting the control baseline, the CSP implements the security controls related to the system’s impact level: either implementing new capabilities, or re-configuring existing ones.
If the CSP cannot implement a particular control, it must provide justification. The CSP must also document the details of control implementation in its system security plan. Also, if the agency has specific mission needs, the CSP may have to implement additional security controls beyond the FedRAMP baseline.
2. Assess
To achieve FedRAMP authorization, all CSPs must use a third-party assessor (3PAO). A FedRAMP-accredited 3PAO will use the FedRAMP baseline security test case to test the cloud system. The goal is to determine whether the implemented controls are effective and documented in the SSP.
CSPs can also use an independent assessor who hasn’t achieved FedRAMP accreditation. In that case, however, the CSP must submit an attestation describing the assessor’s independence and technical qualifications.
During this phase, the assessor prepares a security assessment plan (SAP), which identifies all the assets within the scope of the assessment, as well as a roadmap and methodology for test execution. During security testing (conducted by the assessor), the CSP must lock down the system as much as possible to remediate any risks found during testing.
3. Authorize
After completing testing, authorizing officials (AOs) make an authorization decision based on the completed package of documents and the risks identified during testing. They analyze the discovered risks, vulnerabilities, and threats and present those issues in a security assessment report (SAR).
The SAR also includes risk mitigation guidance for CSPs. Like the SAP and SSP, the SAR is based on FedRAMP templates available at www.fedramp.gov.
The CSP develops a Plan of Action & Milestones (POA&M) that addresses the specific vulnerabilities mentioned in the SAR. It also compiles and submits a final security package for JAB (JAB P-ATO or provisional authority to operate) or agency authorization (agency ATO or authority to operate) review.
The assessing officer will review the entire package and decide whether to authorize the cloud solution. If the answer is yes, the officer formalizes the decision in an authorization (P-ATO) letter.
The letter will be signed either by the JAB or by a government agency, depending on which authorization pathway the CSP chose. Either way, the FedRAMP-authorized CSP is then added to the FedRAMP marketplace.
4. Monitoring
All authorized CSPs must implement ongoing assessment and authorization (also known as continuous monitoring) to assure that they continue to meet FedRAMP requirements. It ensures that the security authorization package remains updated. It also provides information about the effectiveness of a CSP’s security controls so agencies can make informed risk management decisions while deploying and using cloud services. Failure to implement continuous monitoring can result in revocation of the CSP’s authorization.
Simplify and Manage FedRAMP Compliance with ZenComply
Manual processes and spreadsheets are a painful, expensive way to streamline your FedRAMP compliance program. Simplify the effort and increase the probability of successful authorization with the right technology. Try ZenComply.
This integrated risk management, audit, and compliance platform facilitates continuous compliance monitoring. It provides a single automated system of record to meet compliance requirements and keep up with changes to FedRAMP and other regulations.
If you are preparing for an audit, we can help with that too. ZenComply facilitates continuous compliance monitoring and automates the audit process. It also provides complete visibility into the enterprise FedRAMP compliance program. Schedule a demo to learn more about ZenComply’s capabilities.