FedRAMP Documentation and Artifact Requirements for Cloud Services 

US Government agencies are increasingly procuring commercial cloud services for improving customer experience, reducing costs, and securing data. A recent market research report forecasts that agency demand for vendor-furnished cloud computing goods and services will grow from $5.3 billion in FY 2019 to $9.1 billion in FY 2024. A key requirement for commercial organizations selling cloud-hosted applications to US Federal and Department of Defense agencies is having FedRAMP accreditation. FedRAMP is a US Government program for certifying cloud-based solutions for use by US Government customers and is rapidly gaining acceptance.  Commercial Cloud Service Providers (CSP) must develop and present a complete set of documents as prescribed by the FedRAMP program.

What are FedRAMP Documentation and Artifact Requirements?

FedRAMP PMO developed a security assessment framework that must be followed by commercial Cloud Service Providers seeking an Authority to Operate (ATO) that allows US Government agencies to procure such services. The framework is based on NIST SP 800-37 as well as NIST SP 800-53 amongst others to provide guidance on elements key to issuing authorizations. Every commercial Cloud Solutions Provider must develop the information system or cloud service authorization package. An authorization package includes but is not limited to the following artifacts: a control implementation summary, the system security plan, the security test plan, and assessment report, and the remedial action plan. 

System Security Plan (SSP): The SSP documents security controls that need to be implemented to meet FedRAMP’s requirements. The security controls and requirements are specified in NIST SP 800-53 and depend on the impact level of the system. The FedRAMP PMO (Program Management Office) makes available templates to make it easy for organizations to understand the right set of controls to start considering. The commercial cloud service provider (CSP) must create the SSP document that describes the controls for which the CSP has responsibility for implementing or a shared responsibility with the agency. The US Government Agency will ask for and review the SSP as part of the due diligence and the authorization process. 

Control Implementation Summary (CIS): The CIS specifies security responsibilities for the agency and the commercial cloud service provider. The Agency will review the summary to ensure that control responsibilities assigned to the agency or shared with the cloud service provider are accurately defined. 

Security Assessment Report (SAR): he SAR documents result in control tests and control effectiveness and are typically developed by a Third-Party Assessor (3PAO). The accredited 3PAO tests the security controls of the cloud service for weaknesses and produces the report for the agency to review. The Agency reviews the report of the CSP’s environment to determine if risks identified by the independent third-party assessor are acceptable. 

Remedial Action Plan: The Remedial Action Plan lists cloud service deficiencies; identifies responsibilities for addressing deficiencies; and cites resources and planned dates for mitigating deficiencies. The commercial cloud service provider must maintain the remedial action plans and mitigate control deficiencies identified with its service. Typically, the CSP develops the remedial action plans based on the SAR provided by 3PAO.

This blog post is designed to help commercial organizations begin their FedRAMP certification journey by being better informed. There are other supporting documents required and only the most critical ones have been highlighted in this post. 

Are you interested in FedRAMP certification? Schedule a free consultation to learn more about our FedRAMP Accelerator Assessment on AWS. We have developed a fixed price consulting offer for a free 2-week engagement that provides an assessment of business, technical and security issues that would need to addressed for FedRAMP accreditation. The engagement output includes a FedRAMP strategy & roadmap and a detailed cost budget with tailored recommendations. Such engagements typically cost between $40,000 to $50,000. Also, make sure you ask about the stackArmor ThreatAlert Cloud Security GSS solution that provides FedRAMP security controls, associated documentation artifacts and managed compliance services for commercial SaaS providers.

Are you a commercial SaaS or PaaS provider looking to sell your services to US Government agencies? If so then conducting market research and getting a sense of options and trends is essential to make an informed decision on FedRAMP Authority to Operate (ATO) strategy. Here are some available links with additional content for research.