Stackarmour

What are FedRAMP Compliance and Certification Requirements for CSPs

FedRAMP certification is a security and compliance accreditation requirement for commercial Cloud Service Providers (CSP) looking to sell their solutions to US Government agencies. FedRAMP certifications are managed by the General Services Administration (GSA) which is a US Government agency operating the program.  

US Government agencies are rapidly transforming with an increasing demand for cloud services that are FedRAMP accredited. A recent market research report forecasts that agency demand for vendor-furnished cloud computing goods and services will grow from $5.3 billion in FY 2019 to $9.1 billion in FY 2024. A key requirement for commercial organizations selling cloud-hosted applications to US Federal and Department of Defense agencies is having FedRAMP accreditation. FedRAMP is a US Government program for certifying cloud-based solutions for use by US Government customers and is rapidly gaining acceptance.  

What is FedRAMP Compliance?

FedRAMP Is a Government-wide Program for Authorizing Cloud Services that was established by the Office of Management and Budget (OMB) and managed by GSA. The FedRAMP program is intended to provide a standardized approach to securing systems, assessing security controls, and continuously monitoring cloud services used by federal agencies. The FedRAMP program allows commercial organizations to streamline the compliance and certification process by “certify once, use many times” across agencies. While the program has had its challenges and there continue to be adoption issues, FedRAMP certification is gaining traction and is rapidly a “must-have”.  

 The program’s key participants are the FedRAMP PMO, JAB, Federal Agencies, Cloud Service Providers, and Third-Party Assessor Organizations (3PAO).

FedRAMP PMO: The FedRAMP’s PMO (Program Management Office) is headed by GSA and serves as the facilitator of the program. The office’s responsibilities include managing the program’s day-to-day operations, creating guidance and templates for agencies and cloud service providers to use for developing, assessing, authorizing, and continuously monitoring cloud services per federal requirements.

JAB: The JAB (Joint Authorization Board) is made up of Chief Information Officers (CIO) from the Department of Defense (DOD), DHS, and GSA. It is the primary governing and decision-making body of the program. The JAB is responsible for defining and establishing FedRAMP baseline security controls and accreditation criteria for third-party assessment organizations. The JAB is also responsible for issuing a Provisional Authorization to Operate (P-ATO) for cloud services that determines what will be leveraged across most of the federal government. 

Federal Agencies: Federal Agencies are consumers of commercial cloud services and utilize the FedRAMP program to evaluate and baseline the risks associated with a Cloud Service Provider’s offering. Agencies are responsible for ensuring that cloud services that process, transmit, or store government information, use FedRAMP’s baseline security controls before they issue subsequent authorizations for using those cloud services. 

Cloud Service Providers (CSP): Commercial firms looking to offer cloud services to agencies are required to meet the FedRAMP security requirements and implement the program’s baseline security controls. CSP’s are responsible for developing required to create security assessment documentation per the program’s requirements, and comply with federal requirements for incident reporting, among others. A CSP must hire an independent third-party assessor to conduct a FedRAMP audit and submit it to the FedRAMP PMO. 

Third-Party Assessment Organizations (3PAO): These are FedRAMP accredited assessors that perform initial and periodic assessments of cloud providers’ controls to ensure they meet the program’s requirements. The assessors must be accredited through FedRAMP if they are assessing a cloud provider seeking a provisional authorization from the JAB. 

There are two ways to obtain an Authority To Operate (ATO) through the FedRAMP program – 1) Agency sponsored or 2) JAB sponsored. In the case of an Agency sponsored ATO, the FedRAMP is performed by a federal agency in coordination with the FedRAMP PMO. The commercial cloud provider works primarily with the designated Federal agency for FedRAMP certification that includes complying with NIST SP 800-53 requirements and completing the required documentation and independent assessments. A JAB sponsored ATO is when the commercial cloud provider works directly with the FedRAMP PMO and submits their package for accreditation by the JAB. For most practical purposes FedRAMP certifications are obtained primarily through the Agency sponsored route as there are capacity constraints and additional “demand” related requirements for the JAB sponsored ATO route.

Conducting market research and getting a sense of options and trends is essential to making an informed decision on FedRAMP ATO (Authority To Operate) strategy. Here are some available links with additional content for research.

This blog post provides details on specific cost line items and critical drivers. The blog post also includes comments from FedRAMP SMEs and CISO/CTOs of companies that have successfully achieved FedRAMP compliance.

Are you interested in obtaining FedRAMP compliance and certification? Schedule a free consultation to learn more about our FedRAMP Accelerator Assessment on AWS. We have developed a fixed price consulting offer for a free 2-week engagement that provides an assessment of business, technical and security issues that would need to addressed for FedRAMP accreditation. The engagement output includes a FedRAMP strategy & roadmap and a detailed cost budget with tailored recommendations. Such engagements typically cost between $40,000 to $50,000.