Blog

This is the first of a series of blogs on the evolving landscape of secure commercial cloud computing enabled by the FedRAMP program. The President signed into law H.R. 7776, the “James M. Inhofe National Defense Authorization Act for Fiscal Year 2023”, which includes the FedRAMP Authorization Act. The FedRAMP Authorization Act codifies the Federal Risk and Authorization Management (FedRAMP) Program, which is a Government-wide initiative that provides a standardized, reusable approach to security assessment and authorization for cloud computing products and services that process unclassified information used by agencies. The FedRAMP program is governed by the FedRAMP Program Management Office (PMO) within the General Services Administration (GSA). The FedRAMP Program was established in 2012 through an Office of Management and Budget (OMB) memorandum. The passage of the FedRAMP Authorization Act codifies this program into a law enacted by Congress with formal congressional scrutiny and oversight. This blog provides an

The Checkmarx One™ Application Security Platform is preparing to meet the rigorous requirements of FedRAMP alongside the currently authorized Checkmarx CxSAST ATLANTA, Oct. 31, 2022 /PRNewswire/ — Checkmarx, the global leader in developer-centric application security testing (AST) solutions, today announced that it has initiated the process to achieve Federal Risk and Authorization Management program (FedRAMP®) authorization status for its Checkmarx One™ Application Security Platform. FedRAMP promotes the adoption of secure cloud services across the federal government by providing a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. The company has engaged stackArmor, Inc., a leading provider of FedRAMP engineering and advisory services, to guide Checkmarx through the FedRAMP authorization process. For over 10 years, the experts at stackArmor have been guiding cloud service providers through the process of meeting government compliance standards including the Federal Information Security Modernization Act (FISMA), FedRAMP, and standards set

PINEHURST, NORTH CAROLINA, USA, December 22, 2022 /EINPresswire.com/ — TERIDA, the award-winning, women-owned-controlled-led, RegTech small business, today, announced the next stage of their Federal Risk and Authorization Management Program (FedRAMP®) journey – ‘FedRAMP In Process’ designation for their cloud platform, the Terida RegTech Framework – CLASsoft™. This ‘FedRAMP In Process’ status is FedRAMP confirmation that TERIDA is working to achieve FedRAMP authorization per the scheduled timetable. FedRAMP is a U.S. government program, established in 2011, that provides a standardized approach to security and risk assessment, and authorization and continuous monitoring for cloud technologies. And now, with the FedRAMP Act included within the 2023 National Defense Authorization Act, the “legislative framework” for critical cyber security requirements, authorization, compliance and government procurement of cloud solutions has been prioritized with bipartisan support. “Since moving to the cloud in 2017, we have been deliberate in our commitment to cyber security and privacy standards and

stackArmor’s ThreatAlert® ATO Accelerator helps ISVs and SaaS providers reduce the time and cost of FedRAMP authorizations December 21, 2022 14:16 ET | Source: stackArmor, Inc. TYSONS CORNER, Va., Dec. 21, 2022 (GLOBE NEWSWIRE) — stackArmor, Inc., a leading provider of Federal Risk and Authorization Management Program (FedRAMP®), Federal Information Security Modernization Act (FISMA), CMMC 2.0, and StateRAMP security & compliance acceleration solutions, announced today that it has advised MicroStrategy, in gaining FedRAMP authorization of the MicroStrategy Cloud for Government cloud service offering built on a high-performance cloud-native Kubernetes architecture. FedRAMP promotes the adoption of secure cloud services across the federal government by providing a standardized approach to security assessment, authorization, and continuous monitoring for commercial cloud products and services. For over 10 years, the experts at stackArmor have been guiding cloud service providers through the process of meeting government compliance standards, including FISMA, FedRAMP, and standards set by the National

  stackArmor’s ThreatAlert® ATO Accelerator helps ISV’s and SaaS providers reduce the time and cost of FedRAMP authorizations TYSONS, Va., November 16, 2022–(BUSINESS WIRE)–stackArmor, Inc., a leading provider of Federal Risk and Authorization Management Program (FedRAMP®), Federal Information Security Modernization Act (FISMA), CMMC 2.0, and StateRAMP compliance acceleration solutions, announced today that it has assisted Forcepoint, a Global security leader, in expanding the FedRAMP authorization of the Forcepoint ONE all-in-one cloud platform. FedRAMP promotes the adoption of secure cloud services across the federal government by providing a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. stackArmor, Inc. has continued to support Forcepoint through their FedRAMP journey from initial authorization through the FedRAMP significant change and annual assessment process for Forcepoint ONE. Forcepoint ONE is the converged, cloud-delivered platform for Security Service Edge (SSE, the security component of SASE) that protects agency employees and contractors

  Cloud Security Provider Names Ben McGucken to Head Federal Sales and Announces Support for AWS GovCloud (US) and Azure for US Government BOSTON & TEL AVIV, Israel, September 14, 2022–(BUSINESS WIRE)–Ermetic, the cloud infrastructure security company, today announced that it has initiated the process to achieve Authority to Operate (ATO) status under the Federal Risk and Authorization Management Program (FedRAMP). FedRAMP is a government-wide program that promotes the adoption of secure cloud services across the federal government by providing a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The company also announced the appointment of Ben McGucken as regional vice president of sales for US Federal and Latin America, who will lead the company’s FedRAMP certification. In addition, the Ermetic cloud security platform now supports AWS GovCloud (US) and Azure for US Government – which are designed to address specific regulatory and compliance

In a previous Blog, stackArmor reviewed the process of obtaining an agency sponsored Federal Risk and Authorization Management Program (FedRAMP) Authority to Operate (ATO). Any cloud service provider (CSP) serving government agencies must have a FedRAMP Authorization. This blog will address the second, less common path to obtaining a FedRAMP Authorization: through a Joint Authorization Board (JAB) sponsorship. The JAB is FedRAMP’s primary governing body whose board includes Chief Information Officers (CIOs) from the following three federal organizations: Department of Defense (DoD) General Services Administration (GSA) Department of Homeland Security (DHS) A JAB authorization is slightly different than an agency authorization as it results in a Provisional ATO (P-ATO). It is provisional because the JAB cannot accept risk on behalf of any agency, only an agency can do that with their ATO. Agencies are still able to access and use the available P-ATO package to grant their own ATO, making

  Providing cloud solutions to government agencies requires those cloud solutions to hold a Fedal Risk and Authorization Management Program (FedRAMP) Authorization to Operate (ATO). There are 2 paths to obtaining a FedRAMP ATO: Sponsorship by an Agency and a provisional ATO (P-ATO) through the Joint Authorization Board (JAB). This blog will cover the path to ATO through an agency sponsor since agency ATOs account for 70 percent of all FedRAMP ATOs. JAB PATOs will be covered in a separate blog. 1 – Find an agency willing to sponsor the cloud service offering (CSO). Finding an agency to sponsor and champion a Cloud Service Offering (CSO) through the FedRAMP process is probably the longest pole in the tent for getting the coveted FedRAMP Authorization. The issuance of an  agency ATO represents an acceptance of risk associated with the CSO on the part of the agency’s authorizing official (AO).A prime

  If you are an ISV or SaaS solutions provider looking to pursue US DOD and FedRAMP accreditations then please join our webinar discussion on DOD Impact Level 4 ATO and Lessons Learned. You can learn more by registering here. Date: Dec 7, 2022 02:00 PM in Eastern Time (US and Canada) The U.S. Department of Defense (DoD) has unique information protection requirements that extend beyond those established by the Federal Risk and Authorization Management Program (FedRAMP). Using the FedRAMP requirements as a foundation, the Defense Information Systems Agency (DISA) developed and maintains the DoD Cloud Computing Security Requirements Guide (CC SRG). The DoD CC SRG defines the standards for categorizing DoD information and information systems and breaks them into 4 Impact Levels (DoD ILs): – DoD IL 2 – Public or Non-Critical Mission Information – DoD IL 4 – Controlled Unclassified Information (CUI) or Non-CUI, Non-Critical Mission Information, Non-National Security Systems

As DoD agencies continue their migration of sensitive workloads to the cloud, there is a greater need to ensure those workloads are deployed around the rigorous DoD Cloud Computing Security Requirements Guide (SRG) at Impact Levels 4 and 5. Systems categorized at Impact Level 5 (IL5) are allowed to host non-public, unclassified National Security System (NSS) system data (i.e., U-NSI) or non-public, unclassified data. The work to support the path to IL5 is made easier by both stackArmor’s proprietary ThreatAlert® Authority To Operate (ATO) Accelerator and the company’s experience supporting the technical and architectural implementation of IL5 controls. ThreatAlert® ATO Accelerator provides a proven, independently audited secure digital platform that includes (1) a landing zone, (2) an “in-boundary” cloud general support system (GSS) and (3) compliance controls for the DOD IL5 package/SSP (System Security Plan). stackArmor provides our clients a suite of implemented security controls, evidentiary support and artifacts, and

When using containers, Cloud Service Providers (CSPs) are NOT precluded from adhering to host-based security guidelines and FIPS 140-2 (soon 140-3) encryption requirements

This is an older blog which has been superseded by the latest blog based on the official release of the Rev 5 baselines by the FedRAMP PMO.  Since its inception, FedRAMP has used the National Institute of Standards and Technology Special Publication 800-53 (NIST 800-53) procedures and guidelines as the foundation for providing standardized security requirements and control definitions for cloud service providers wanting to serve the federal market. In fact, FISMA, RMF, FedRAMP, OSCAL, and SCF all use NIST as a gold-standard foundation for standardized compliance guidelines. To align with the updates in NIST’s final release of Rev. 5 (which was drafted in 2020 and open to public comment through October 1 of 2021,) FedRAMP has re-established their control baselines accordingly. In December of 2021, FedRAMP released their new Rev 5 baselines, re-aligning with the NIST Rev. 5 update. The new baselines are a result of close collaboration between the FedRAMP

  Large software vendors, global defense contractors and organizations operating in hyper regulated markets must meet very specific government cybersecurity requirements. These requirements include ensuring data sovereignty as well as compliance with specific standards like FedRAMP or ITSG-33 in the US and Canada respectively. The rapid emergence of data sovereignty requirements are driving the increased need for “in-region” deployments that provide the ability to contain the data within a pre-specified area. External connections to corporate services, other SaaS services, or other systems cause the assessors to take a real hard look at data flows. This scrutiny and extra due diligence can slow down the accreditation process. These unique constraints create challenges for large global organizations looking to meet complex regulatory requirements in a cost-effective manner. This problem can be solved by using an “in-boundary” security and compliance model that limits the number of external connections and delivers a “region-gapped” service.

Large ISV’s, Global Defense contractors and organizations operating in global hyper regulated markets must meet very specific government cybersecurity requirements.

The FedRAMP Program Management Office (PMO) issued updated guidance on the FedRAMP Readiness Assessment requirements.

The cost of pursuing a FedRAMP authorization for a software company range from $500,000 to $1 million for a single product. Obviously, this is especially burdensome for small companies — the same firms that often drive the innovation and modernization the government seeks.
Author: Michael Garland, Gaurav “GP” Pal

As the Federal Risk and Authorization Management Program marks its 10th anniversary, it’s time to applaud FedRAMP’s accomplishments — but also explore ways to scale its operations so the government can more quickly adopt innovative software solutions.
Author: Michael Garland, Gaurav “GP” Pal

Organizations looking to participate and take advantage of the rapidly growing Government and Public sector cloud market must get ready by conducting a gap assessment of their environment.

FedRAMP was established in 2012 and is managed by the U.S. General Services Administration.