What is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) was established in 2011 to provide a risk-based approach to adopting and using cloud services by the federal government. In 2022, the FedRAMP Authorization Act was signed as part of the FY23 National Defense Authorization Act (NDAA). The Act codifies the FedRAMP program as the authoritative standardized approach to security assessment and authorization for cloud computing products and services that process unclassified federal information. FedRAMP is the cloud arm of the Federal Information Security Management Act (FISMA).

Cloud Service Providers (CSP) that want to make Cloud Service Offerings (CSO) available to federal agencies must have a FedRAMP designation to be listed on the FedRAMP marketplace.

FedRAMP uses the NIST SP 800-53 security controls and includes parameters and guidance above the NIST baseline that address the unique elements of cloud computing. The NIST SP 800-53 control families are:

  • Access Control
  • Awareness and Training
  • Audit and Accountability
  • Assessment, Authorization, and Monitoring
  • Configuration Management
  • Contingency Planning
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Physical and Environmental Protection
  • Planning
  • Program Management
  • Personnel Security
  • Personally Identifiable Information (PII) Processing and Transparency
  • Risk Assessment
  • System and Services Acquisition
  • System and Communications Protection
  • System and Information Integrity
  • Supply Chain Risk Management

FedRAMP Authorization Process

The FedRAMP Program Management Office (PMO) defines three official designations for CSOs:

FedRAMP Ready

A designation provided to CSPs that indicates that a FedRAMP-recognized 3PAO attests to a product’s security capabilities and that a Readiness Assessment Report (RAR) has been reviewed and deemed acceptable by the FedRAMP PMO.

FedRAMP In Process

A designation provided to CSPs that are actively working toward a FedRAMP Authorization with either the Joint Authorization Board (JAB) or a federal agency.

FedRAMP Authorized

A designation provided to CSPs that have successfully completed the FedRAMP Authorization process with the JAB or a federal agency.

FedRAMP requires organizations to have assessments conducted by an approved Third Party Assessment Organization (3PAO) to achieve their security status.

Authorization Options

Two approaches are available for securing FedRAMP authorization, authorization through the Joint Authorization Board (JAB) or Agency Authorization.

Agency Authorization

In the Agency Authorization path, CSPs need to find a federal agency to sponsor their CSO as they strive to achieve an Authority to Operate (ATO).

Pursuing the FedRAMP Ready designation is recommended, but not required for the Agency Authorization path. To achieve this designation, CSPs must work with a 3PAO to complete a Readiness Assessment of its service offering. The Readiness Assessment Report (RAR) documents the CSP's capability to meet federal security requirements.

During the Pre-Authorization step, CSPs need to formalize their agency partnership and prepare to undergo the authorization process. Organizations need to make any necessary technical and procedural adjustments to address federal security requirements and prepare the security deliverables required for authorization.

By this stage, CSPs should:

  • Have a system that is fully built and functional
  • Have a leadership team that is committed and fully on board with the FedRAMP process
  • Engage with FedRAMP through the intake process by completing a CSP Information Form
  • Determine the security categorization of the data that will be placed within the system using the FedRAMP Federal Information Processing Standards (FIPS) 199 Categorization Template (located in Section 15 of the System Security Plan (SSP) template, located on the Documents & Templates page) along with the guidance of FIPS 199 Pub 199 and NIST Special Publication 800-60 Volume 2 Revision 1  to correctly categorize their system based on the types of information processed, stored, and transmitted on its systems.

CSPs and their chosen agency will then have a kickoff meeting to discuss:

  • The background and functionality of the cloud service
  • The technical security of the cloud service, including the system architecture, the authorization boundary, data flows, and core security capabilities
  • Customer responsible controls that must be implemented and tested by the Agency
  • Compliance gaps and remediation plans
  • A work breakdown structure, milestones, and next steps

The 3PAO will then perform a full security assessment of the system. Before the assessment, the CSP’s System Security Plan (SSP) needs to be completed, reviewed, and approved by the agency customer. Also, the Security Assessment Plan (SAP) should be developed by the CSP’s 3PAO with their authorizing agency’s input.

During this step, the 3PAO tests the CSP’s system and develops a Security Assessment Report (SAR) which details their findings and includes a recommendation for FedRAMP Authorization.

The CSP will then develop a Plan of Action and Milestones (POA&M) based on the SAR findings and include input from the 3PAO, which outlines a plan for addressing the findings from testing.

CSPs will then move to the Agency Authorization Process, where the agency conducts a security authorization package review, which may include a SAR debrief with the FedRAMP PMO. The results of the review could require remediation by the CSP. The agency will implement, test, and document customer responsible controls during this phase. Finally, the agency performs a risk analysis, accepts risk, and issues an ATO. This decision is based on the agency’s risk tolerance. Once an agency provides an ATO letter for the use of the CSO, the following actions take place to close out this step:

  • The CSP uploads the Authorization Package Checklist and the complete security package (SSP and attachments, POA&M, and Agency ATO letter), with the exception of the security assessment material, to FedRAMP’s secure repository.
  • The 3PAO uploads all security assessment material (SAP, SAR, and attachments) associated with the CSO security package to FedRAMP’s secure repository.

The FedRAMP PMO reviews the security assessment materials for inclusion into the FedRAMP Marketplace. The FedRAMP Marketplace listing will be updated to reflect FedRAMP Authorized status. The CSO security package will be made available to agency information security personnel, to issue subsequent ATOs, by completing the FedRAMP Package Access Request Form.

To meet continuous monitoring requirements, Agency Authorization CSPs must provide periodic security deliverables (vulnerability scans, updated POA&M, annual security assessments, incident reports, significant change requests, etc.) to all agency customers. Further details can be found in the Continuous Monitoring Strategy Guide.

 

JAB Authorization

The JAB selects approximately 12 cloud products to authorize each year through a process called FedRAMP Connect. CSPs interested in working with the JAB are required to review the JAB Prioritization Criteria and Guidance document and then complete and submit the FedRAMP Business Case.

To begin the JAB process, CSPs must achieve the FedRAMP Ready JAB designation or be able to secure the designation within 60 days of being selected. JAB Kickoff can then begin, where the CSP, 3PAO, and FedRAMP collaboratively review the CSO’s system architecture, security capabilities, and risk posture. The JAB will issue a “go” or “no-go” decision to proceed with the authorization process.

If the CSO receives the go-ahead, the JAB will conduct an in-depth review of the security authorization package that needs to include:

  • System Security Plan (SSP)
  • Security Assessment Plan (SAP)
  • Security Assessment Report (SAR)
  • A Plan of Action and Milestones (POA&M) to track and manage system security risks identified in the SAR.

Monthly continuous monitoring deliverables including scan files, POA&M, and up-to-date inventory must be prepared and submitted to the JAB throughout the process.

When the review is complete and the CSP and 3PAO have remediated any outstanding issues, the JAB will issue a formal authorization decision. If it rules in favor of the CSO, a Provisional Authority to Operate (P-ATO) will be issued.

To meet the continuous monitoring requirements, CSPs that went through the JAB Authorization must provide monthly deliverables, including incident reporting, to the JAB and agencies that are using their service. While each agency’s Authorizing Official (AO) maintains the final approval authority for the use of a system by that agency, the JAB acts as a focal point for continuous monitoring activities, by:

  • Reviewing continuous monitoring and security artifacts on a regular basis
  • Monitoring, suspending, and revoking a system’s P-ATO as appropriate
  • Authorizing or denying significant change and deviation requests
  • Ensuring continuous monitoring deliverables are provided to leveraging agencies in a timely manner

 

Learn more about the pros and cons of JAB Authorization and Agency Authorization here.

The Benefits of FedRAMP Authorization

Federal agencies are only allowed to use FedRAMP authorized CSOs. Securing authorization opens significant potential revenue streams, such as the Department of Defense.

Implementing the security controls required for FedRAMP authorization will give your organization more confidence in the security of your systems and services.

How We Can Help

CompliancePoint’s team of cybersecurity experts offers decades of experience your organization can leverage. We can help design and implement controls that will meet all FedRAMP requirements. Once implemented, we can help manage your security program on an ongoing basis to ensure continuous compliance.

What is FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP) was established in 2011 to provide a risk-based approach to adopting and using cloud services by the federal government. In 2022, the FedRAMP Authorization Act was signed as part of the FY23 National Defense Authorization Act (NDAA). The Act codifies the FedRAMP program as the authoritative standardized approach to security assessment and authorization for cloud computing products and services that process unclassified federal information. FedRAMP is the cloud arm of the Federal Information Security Management Act (FISMA).

Cloud Service Providers (CSP) that want to make Cloud Service Offerings (CSO) available to federal agencies must have a FedRAMP designation to be listed on the FedRAMP marketplace.

FedRAMP uses the NIST SP 800-53 security controls and includes parameters and guidance above the NIST baseline that address the unique elements of cloud computing. The NIST SP 800-53 control families are:

  • Access Control
  • Awareness and Training
  • Audit and Accountability
  • Assessment, Authorization, and Monitoring
  • Configuration Management
  • Contingency Planning
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Physical and Environmental Protection
  • Planning
  • Program Management
  • Personnel Security
  • Personally Identifiable Information (PII) Processing and Transparency
  • Risk Assessment
  • System and Services Acquisition
  • System and Communications Protection
  • System and Information Integrity
  • Supply Chain Risk Management

FedRAMP Authorization Process

The FedRAMP Program Management Office (PMO) defines three official designations for CSOs:

FedRAMP Ready

A designation provided to CSPs that indicates that a FedRAMP-recognized 3PAO attests to a product’s security capabilities and that a Readiness Assessment Report (RAR) has been reviewed and deemed acceptable by the FedRAMP PMO.

FedRAMP In Process

A designation provided to CSPs that are actively working toward a FedRAMP Authorization with either the Joint Authorization Board (JAB) or a federal agency.

FedRAMP Authorized

A designation provided to CSPs that have successfully completed the FedRAMP Authorization process with the JAB or a federal agency.

FedRAMP requires organizations to have assessments conducted by an approved Third Party Assessment Organization (3PAO) to achieve their security status.

Authorization Options

Two approaches are available for securing FedRAMP authorization, authorization through the Joint Authorization Board (JAB) or Agency Authorization.

Agency Authorization

In the Agency Authorization path, CSPs need to find a federal agency to sponsor their CSO as they strive to achieve an Authority to Operate (ATO).

Pursuing the FedRAMP Ready designation is recommended, but not required for the Agency Authorization path. To achieve this designation, CSPs must work with a 3PAO to complete a Readiness Assessment of its service offering. The Readiness Assessment Report (RAR) documents the CSP's capability to meet federal security requirements.

During the Pre-Authorization step, CSPs need to formalize their agency partnership and prepare to undergo the authorization process. Organizations need to make any necessary technical and procedural adjustments to address federal security requirements and prepare the security deliverables required for authorization.

By this stage, CSPs should:

  • Have a system that is fully built and functional
  • Have a leadership team that is committed and fully on board with the FedRAMP process
  • Engage with FedRAMP through the intake process by completing a CSP Information Form
  • Determine the security categorization of the data that will be placed within the system using the FedRAMP Federal Information Processing Standards (FIPS) 199 Categorization Template (located in Section 15 of the System Security Plan (SSP) template, located on the Documents & Templates page) along with the guidance of FIPS 199 Pub 199 and NIST Special Publication 800-60 Volume 2 Revision 1  to correctly categorize their system based on the types of information processed, stored, and transmitted on its systems.

CSPs and their chosen agency will then have a kickoff meeting to discuss:

  • The background and functionality of the cloud service
  • The technical security of the cloud service, including the system architecture, the authorization boundary, data flows, and core security capabilities
  • Customer responsible controls that must be implemented and tested by the Agency
  • Compliance gaps and remediation plans
  • A work breakdown structure, milestones, and next steps

The 3PAO will then perform a full security assessment of the system. Before the assessment, the CSP’s System Security Plan (SSP) needs to be completed, reviewed, and approved by the agency customer. Also, the Security Assessment Plan (SAP) should be developed by the CSP’s 3PAO with their authorizing agency’s input.

During this step, the 3PAO tests the CSP’s system and develops a Security Assessment Report (SAR) which details their findings and includes a recommendation for FedRAMP Authorization.

The CSP will then develop a Plan of Action and Milestones (POA&M) based on the SAR findings and include input from the 3PAO, which outlines a plan for addressing the findings from testing.

CSPs will then move to the Agency Authorization Process, where the agency conducts a security authorization package review, which may include a SAR debrief with the FedRAMP PMO. The results of the review could require remediation by the CSP. The agency will implement, test, and document customer responsible controls during this phase. Finally, the agency performs a risk analysis, accepts risk, and issues an ATO. This decision is based on the agency’s risk tolerance. Once an agency provides an ATO letter for the use of the CSO, the following actions take place to close out this step:

  • The CSP uploads the Authorization Package Checklist and the complete security package (SSP and attachments, POA&M, and Agency ATO letter), with the exception of the security assessment material, to FedRAMP’s secure repository.
  • The 3PAO uploads all security assessment material (SAP, SAR, and attachments) associated with the CSO security package to FedRAMP’s secure repository.

The FedRAMP PMO reviews the security assessment materials for inclusion into the FedRAMP Marketplace. The FedRAMP Marketplace listing will be updated to reflect FedRAMP Authorized status. The CSO security package will be made available to agency information security personnel, to issue subsequent ATOs, by completing the FedRAMP Package Access Request Form.

To meet continuous monitoring requirements, Agency Authorization CSPs must provide periodic security deliverables (vulnerability scans, updated POA&M, annual security assessments, incident reports, significant change requests, etc.) to all agency customers. Further details can be found in the Continuous Monitoring Strategy Guide.

JAB Authorization

The JAB selects approximately 12 cloud products to authorize each year through a process called FedRAMP Connect. CSPs interested in working with the JAB are required to review the JAB Prioritization Criteria and Guidance document and then complete and submit the FedRAMP Business Case.

To begin the JAB process, CSPs must achieve the FedRAMP Ready JAB designation or be able to secure the designation within 60 days of being selected. JAB Kickoff can then begin, where the CSP, 3PAO, and FedRAMP collaboratively review the CSO’s system architecture, security capabilities, and risk posture. The JAB will issue a “go” or “no-go” decision to proceed with the authorization process.

If the CSO receives the go-ahead, the JAB will conduct an in-depth review of the security authorization package that needs to include:

  • System Security Plan (SSP)
  • Security Assessment Plan (SAP)
  • Security Assessment Report (SAR)
  • A Plan of Action and Milestones (POA&M) to track and manage system security risks identified in the SAR.

Monthly continuous monitoring deliverables including scan files, POA&M, and up-to-date inventory must be prepared and submitted to the JAB throughout the process.

When the review is complete and the CSP and 3PAO have remediated any outstanding issues, the JAB will issue a formal authorization decision. If it rules in favor of the CSO, a Provisional Authority to Operate (P-ATO) will be issued.

To meet the continuous monitoring requirements, CSPs that went through the JAB Authorization must provide monthly deliverables, including incident reporting, to the JAB and agencies that are using their service. While each agency’s Authorizing Official (AO) maintains the final approval authority for the use of a system by that agency, the JAB acts as a focal point for continuous monitoring activities, by:

  • Reviewing continuous monitoring and security artifacts on a regular basis
  • Monitoring, suspending, and revoking a system’s P-ATO as appropriate
  • Authorizing or denying significant change and deviation requests
  • Ensuring continuous monitoring deliverables are provided to leveraging agencies in a timely manner

The Benefits of FedRAMP Authorization

Federal agencies are only allowed to use FedRAMP authorized CSOs. Securing authorization opens significant potential revenue streams, such as the Department of Defense.

Implementing the security controls required for FedRAMP authorization will give your organization more confidence in the security of your systems and services.

How We Can Help

CompliancePoint’s team of cybersecurity experts offers decades of experience your organization can leverage. We can help design and implement controls that will meet all FedRAMP requirements. Once implemented, we can help manage your security program on an ongoing basis to ensure continuous compliance.

Failure to comply with relevant requirements can have a devastating impact on your organization. Don't take chances, let our experts help.

Frequently Asked Questions

FedRAMP is a security framework for cloud services. Federal agencies are only allowed to use cloud services that have a FedRAMP Authorization. The National Institute of Standards and Technology (NIST) has published a series of voluntary cybersecurity frameworks. FedRAMP is largely based on the security controls found in NIST 800-53.

To get a Cloud Service Offerings (CSO) listed on the FedRAMP marketplace, a Cloud Service Provider (CSP) must secure a FedRAMP Authorization for that offering. Federal agencies can only use cloud services that have a FedRAMP Authorization.

The Joint Authorization Board (JAB) is the primary governance and decision-making body for FedRAMP. The JAB consists of the Chief Information Officers from the Department of Defense (DoD), the Department of Homeland Security (DHS), and the General Services Administration (GSA).