Overview of the Cloud Service Offering
Authorization Boundary Diagram and Description
Services used and their FedRAMP Authorization Status
Data Flows along with Descriptions
Security Controls: Gaps and Customer Responsibilities
- Work Breakdown Structure and Milestones
Each of these topics are covered in greater detail.
Cloud Service Offering Overview
This is an introductory section to allow the Agency and other stakeholders to gather essential information about your organization and the solution you offer. Typical information needed in this section includes:
Cloud Service Offering Name (as it will appear on the FedRAMP Marketplace)
Service Offering Description that covers:
– What are the core capabilities and functions provided by the service?
– How does an Agency use and experience your offering?
– Describe the federal data that will be stored / processed / transmitted by the service offering.
FIPS 199 System Categorization: Low / Moderate / High
Service Model: SaaS / PaaS / IaaS
Deployment Model: Public / Community / Hybrid
Cloud Stack / Leveraged Systems/External Connections
Authorization Boundary and Data Flows
The Authorization Boundary Diagram and Data Flow descriptions are a very important part of the Kickoff Meeting due diligence process for a FedRAMP authorization. It is essential to provide the agency with a clear picture of the system architecture and components that make up the authorization boundary for the cloud service offering. There are a number of helpful job aids to prepare an Authorization Boundary Diagram. The Authorization Boundary discussion is fairly detailed and will likely consume of the bulk of the discussion.
Services with FedRAMP Authorization Status
Every Cloud Service Offering that is being authorized at a particular FedRAMP Impact Level, must ensure that any leveraged or inherited services are accredited at the same or higher level as the Cloud Service Offering. Any services that are not FedRAMP authorized need to be flagged and discussed to explain why it is justified to be part of the solution boundary. A key element of this discussion allows the Agency to assess risk and understand any supply chain vulnerabilities from data traversing the boundary.
Security Control Gaps and Customer Responsibility
In this section the agency is looking for a detailed understanding of the critical security control implementations, any gaps and remediation timelines. Additionally, the agency must know what specific responsibilities they have for securely operating or consuming the provided commercial cloud service. Specific content includes the list of controls that the Agency will be fully or partially responsible for implementing in the boundary. Controls that cannot be fully inherited by the customer must be
documented in the Customer Responsibility Matrix (CRM).
Work Breakdown Structure and Milestones
There are a number of critical milestones and activities that must be completed as part of the FedRAMP authorization process. The WBS/Project Plan provides the Agency and the FedRAMP PMO with an understanding of the project timelines and allows them to assess and allocate resources to support the project. Some of the key activities that must be included are conclusion of the prepare phase that includes the System Security Plan (SSP) and all attachments and the subsequent 3PAO assessment deliverables that include the Security Assessment Plan (SAP) delivery.
The FedRAMP authorization process is fairly intense but by being well-prepared you can avoid rework and a lot of costly back & forth. For organizations planning to pursue FedRAMP certifications, here are some helpful resources for further analysis and planning.
FedRAMP Authorization Act: Implications for Cloud Service Providers
Preparing for FedRAMP – Whitepaper
Achieving DOD IL-4 ATO Lessons Learned
How much does it cost to prepare for FedRAMP
Agency Briefing Guidance for Kickoff
We hope you find these resources helpful. Please contact us to schedule a free consultation and planning discussion.