FedRAMP compliance is a requirement for commercial cloud service providers (CSP) looking to provide s a security and compliance accreditation requirement for commercial cloud service providers looking to sell their solutions to US Government agencies. FedRAMP certifications are managed by GSA which is a US Government agency takes with operating the program. Federal agencies select and procure commercial cloud services based on their security requirements that are based on specific security levels called baselines. There are four major security baselines in the FedRAMP program High, Moderate, Low and Low-Impact SaaS (LI-SaaS).
What is FedRAMP Compliance?
FedRAMP is a Government-wide Program for Authorizing Cloud Services that was established by Congress and managed by GSA. The FedRAMP program provides a standardized approach to securing systems, assessing security controls, and continuously monitoring cloud services used by federal agencies. The FedRAMP program allows commercial organizations to streamline the compliance and certification process by “certify once, use many times” across agencies. The program’s key participants are the FedRAMP PMO, JAB, federal agencies, cloud service providers, and third-party assessor organizations (3PAO). The FedRAMP’s PMO (Program Management Office) is headed by GSA and serves as the facilitator of the program. The office’s responsibilities include managing the program’s day-to-day operations, creating guidance and templates for agencies and cloud service providers to use for developing, assessing, authorizing, and continuously monitoring cloud services per federal requirements.
FedRAMP High Baseline
The FedRAMP High baseline is based on Federal Information Processing Standard (FIPS) 199, which provides the standards for categorizing information and information systems. It is important that commercial cloud service providers understand the impact level of their offering(s) and correlated security categorization when developing their authorization strategy. The baselines are developed across three security objectives: Confidentiality, Integrity, and Availability.
High Impact data is usually in Law Enforcement and Emergency Services systems, Financial systems, Health systems, and any other system where loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. FedRAMP introduced their High Baseline to account for the government’s most sensitive, unclassified data in cloud computing environments.
The FedRAMP Marketplace has around 300 authorized commercial cloud services, of which less than 10% are accredited at the FedRAMP High baseline. This presents a significant competitive advantage for commercial cloud providers looking to offer their services to meet sensitive mission requirements. There are 421 security controls that must be implemented based on the NIST Special Publication 800-53 Rev 4 requirements. The FedRAMP High baseline based on the NIST Special Publication 800-53 Rev 5 is expected to have 392 controls.
Accelerating FedRAMP High Compliance and Certification
Conducting market research and getting a sense of options and trends is essential to making an informed decision on selecting the right FedRAMP ATO (Authority To Operate) strategy.
Here are some available links with additional content for research.
This blog post provides details on specific cost line items and critical drivers. The blog post also includes comments from FedRAMP SME’s and CISO/CTO’s of companies that have successfully achieved FedRAMP compliance.
Are you interested in FedRAMP certification? Schedule a free consultation to learn more about our FedRAMP Accelerator Assessment that can reduce the time and cost of your project by over 40%.