Top Three Stakeholders in the FedRAMP Process

While cloud solutions have made it possible to make computer systems more efficient and effective, the federal IT infrastructure has had a hard time adopting this innovation. Saddled by redundant, time-consuming, costly, and inefficient systems, the federal government has found it hard to secure its IT systems without throwing hundreds of millions of dollars down the drain.

That is where the Federal Risk and Authorization Management Program (FedRAMP) comes in. FedRAMP is a security assessment, authorization, and monitoring process used by US federal agencies to ensure the security of cloud products and services. By using a “do once, use many times” framework, FedRAMP has saved agencies cost, time, and staff for cybersecurity evaluations.

FedRAMP streamlines the old system of each agency having its own separate security risk assessment and authorization for its IT systems. By providing a unified and government-wide framework for managing risk, FedRAMP overcomes the downside of redundancy, costliness, and inefficiency associated with existing federal assessment and authorization processes.

Confidence in cloud systems security is increased. FedRAMP helps:

1. Offer security appraisals and authorizations on the basis of a uniform set of security controls;
2. Use sanctioned Third-Party Assessment Organizations (3PAOs) to continually assess the ability of a Cloud Service Provider (CSP) to fulfil the security requisites; and
3. Coordinate unceasing monitoring services.

What’s in it for your business?

So what’s in it for your business? Companies looking towards working with federal agencies now have fewer security authorizations to fulfill with FedRAMP’s standardized “do once, use many times” model. So by completing one FedRAMP authorization, CSPs will not have to expend time and money securing authorization for each federal agency client.

All cloud deployments and service models of federal agencies that are categorized to have low and moderate risk impact levels are required FedRAMP. All agencies and executive departments are likewise mandated to submit a PortfolioStat quarterly report that lists down all existing cloud services that are non-compliant with FedRAMP and steps for the fulfillment of its requirements.

Here are the Top Three Stakeholders in the FedRAMP Process

Agencies

Agencies do the selecting of cloud services, the leveraging of FedRAMP processes, and mandates CSPs to fulfill FedRAMP requirements.

Cloud Service Providers (CSPs)

CSPs give their cloud services to an Agency, therefore must fulfill all FedRAMP requirements prior to any implementation of their services.

Third Party Assessment Organizations (3PAOs)

3PAOs are responsible for conducting the initial and subsequent periodic evaluations of the CSP systems. They verify fulfillment of the FedRAMP requirements and continuously perform audits to guarantee that CSPs are compliant.

How can your business achieve a FedRAMP compliant security package as a federal agency CSP?

1. First is by getting a provisional authorization (P-ATO) from FedRAMP via the Joint Authorization Board (JAB).
2. Second is by working straight with agencies to acquire agency authorization (ATO) from FedRAMP.
3. Moreover, third is by getting employed independently with an accredited 3PAO to deliver an accomplished security package even without acquiring authorization

A FedRAMP P-ATO serves as the initial approval that the JAB gives as part of the authorization package for CSPs that an agency can use to give a security authorization and an ATO for the procurement of cloud services inside their agency. The JAB reviews the CSP authorization package to evaluate its ability to make risk-based decisions related to cloud systems.

In working directly with federal agencies to acquire a FedRAMP ATO, a CSP which creates more impact on their federal clients will be given primacy in the prioritization queue. This is because FedRAMP’s framework gives priority to companies that can augment efficiency and thus help generate savings more quickly.

CSPs can take services from any party they wish to get ready for the process of authorization. Accredited 3PAOs are required when getting a P-ATO from the JAB, when tendering a CSP supplied package or when requested by an agency. FedRAMP 3PAOs are accredited by the American Association for Laboratory Accreditation (A2LA) and given final approval by the FedRAMP PMO.

It is the task of the JAB to select the controls for annual testing and continuous monitoring. However, federal agencies are also mandated to continuously monitor any cloud system they use as part of FedRAMP requirements. In the last instance, the agencies have the responsibility for the continuous monitoring and authorization of the systems they have deployed.

These monitoring requirements are based on the National Institute of Standards and Technology (NIST) Special Publication 800-137 guidance for the implementation of Information Security Continuous Monitoring program. FedRAMP is looking into the possibility of developing its continuous monitoring program to favour a more risk-based approach as opposed to the traditional compliance-based one.

CSPs must maintain optimal performance amidst continuous monitoring if they are to continue holding on to their FedRAMP authorization. Federal agencies continuously monitor CSPs performance and will enforce performance requirements whenever issues arise as indicated in the contracts.

Your organization will benefit from FedRAMP by saving significant cost, time, and resources by following its “do once, use many times” mantra while standardizing your organizations method to risk management and information security.