In order to increase the security among Federal agencies, several agencies created the Federal Risk and Authorization Management Program (FedRAMP). These agencies are:
- The National Institute of Standards and Technology (NIST)
- The Department of Homeland Security (DHS)
- The General Services Administration (GSA)
- The Department of Defense (DOD)
FedRAMP is a government-wide program which provides a standardized approach to security assessment, authorization, and continuous monitoring for Cloud Service Providers (CSPs).
The intent behind the program is to facilitate the adoption of CSPs among Federal agencies and eliminate duplication of effort. In the same time, FedRAMP reduces the risk management time and the costs that agencies would otherwise spend on individual assessing of CSPs. Or, as it can be found on FedRAMP official site:
“FedRAMP facilitates the shift from insecure, tethered, tedious IT to secure, mobile, nimble, and quick IT.”
FedRAMP Security Assessment Framework 2015 Vs. 2017
To advance the security among Federal Agencies, in 2015, FedRAMP.gov issued the general Security Assessment Framework. And, 2 years later, they’ve upgraded this structure to Security Assessment Framework version 2.4.
In both versions of the Security Assessment Framework, FedRAMP puts a special emphasis on the importance of CSPs meeting the FedRAMP requirements.
In order to become FedRAMP compliant, each CSP needs to carefully follow and go through 4 process areas:
- Authorize, and
However, the ways in which CSPs could achieve FedRAMP compliance have slightly changed in the 2017 Security Assessment Framework revision.
In their version of 2015, FedRAMP allowed 3 ways of CSPs becoming FedRAMP compliant. But, in their latest version from 2017, FedRAMP gives CSPs only 2 possible alternatives to achieve compliance.
In 2015, CSPs could achieve FedRAMP compliance trough:
- Joint Authorization Board Provisional Authorization (JAB P-ATO)
- FedRAMP Agency Authority to Operate (ATO)
- CSP Supplied Package
Let’s explain these 3 in more detail.
1. Joint Authorization Board Provisional Authorization (JAB P-ATO)
JAB P-ATO is a type of request for FedRAMP compliance that can be submitted either by the CSP or by the Federal agency. It basically means submitting an application known as ‘Initiate Request form’ on www.fedramp.gov to ensure processing of the CSP for a JAB P-ATO. Here, the CSP provides all data to the JAB and it makes a risk review of all the data provided.
When the JAB grants the P-ATO, the JAB provides all Federal agencies a recommendation on whether a CSP has a recommended acceptable risk posture for Federal use.
For FedRAMP JAB P-ATOs, the CSP must collaborate with an accredited Third Party Assessment Organization (3PAO) to independently verify and validate the security implementations.
The picture above shows the entire process of JAB P-ATO, form submission to authorization. As you can see, it consists of 4 separate stages, each containing several phases on their own.
The first stage is called Readiness Assessment & FedRAMP Connect. This stage, as the name itself implies, is the first stage where all the information needed is provided by the CSP so that the process of assessment may start. The length of the first stage depends on the readiness of the CSP to provide all this information.
The next stage is known as Full Security Assessment and lasts for about 1 month. At this stage, the CSP is examined against all of the demands of the assessment framework. And if passed, the CSP gains the right to be FedRAMP Authorized, which is the actual next stage of JAB P-ATO
The Authorization Process is the longest stage. It can take 3 to 4 months and sometimes even longer. The reason for the length of this stage is the several reviews that the CSP must go through. Once this stage is over and the CSP is FedRAMP authorized follows the final stage – Continuous Monitoring.
Continuous Monitoring is an ongoing process in which the CSP is monitored whether it still responds to all of the FedRAMP demands and how the CSP uses the FedRAMP authorization.
Getting JAB P-ATO is a long and complex process which not every CSP can go through. On the other hand, the ones authorized as such are undoubtedly secure to be used.
2. FedRAMP Agency Authority to Operate (ATO)
ATO allows CSPs to work directly with a Federal agency to achieve FedRAMP compliance. Here, the CSP works together with the Federal Agency security office to provide all data necessary for the ATO. After that, the Federal agency makes a risk review of the data.
Federal Agencies have to choose a FedRAMP accredited 3PAO or a non-accredited Independent Assessor (IA) to perform the assessment.
In cases where non-accredited assessor is used, the Federal agency needs to provide evidence of the assessor’s independence and a letter of attestation of the assessor’s independence with the security authorization package. However, the FedRAMP Program Management Office (PMO) highly recommends the use of an assessor from the FedRAMP 3PAO accreditation program.
Once the Federal agency authorizes the package, they need to notify the FedRAMP PMO. The PMO then instructs the CSP how to submit the package for PMO review.
After reviewing the package and ensuring it meets all of the FedRAMP requirements, the FedRAMP PMO publishes the package in the Secure Repository for other Agencies to leverage.
As you can see from the picture above ATO is similar, but at the same time very different from JAB P-ATO. Namely, ATO also includes 4 stages from which only the first one is different. Instead of Readiness Assessment & FedRAMP Connect, here CSP’s work on establishing a partnership with the federal agency. This is the first stage and is known as Relationship Establishment.
The other 3 stages are seemingly similar, but in their core are very different. The thing is in the phases that each of the following processes goes. If you take a more detailed look at the picture above you will understand what I am talking about. Especially when it comes to the Authorization process because with ATO the review process is done by both the agency and PMO.
3. CSP Supplied Package
The 2015 FedRAMP Security Assessment Framework provides an opportunity for CSPs to supply a security package to the FedRAMP Secure Repository for prospective Agency use. Here, the CSP chooses to work independently rather than through the JAB or a Federal Agency.Unlike the other two ways of achieving FedRAMP compliance, here, after the completion of FedRAMP Security Assessment Framework (SAF), the FedRAMP compliant package instead for authorization it’s available for leveraging. Namely, instead of gaining FedRAMP authorization the CSP must go under one final test. And that is 3PAO.
The CSP must collaborate with an accredited 3PAO to independently verify and validate the security implementations and the security assessment package.
Once the authorization is completed, the CSP notifies the FedRAMP PMO and the PMO instructs the CSP on how to submit the package for PMO Review.
After the review, the FedRAMP PMO publishes the package in the Secure Repository for other Federal agencies to leverage.
In cases where the Federal agency decided to issue an ATO to a CSP-supplied package, the status of the package changes in the ‘Secure Repository’ to indicate that it has evolved into a FedRAMP Agency ATO Package.
What Changed In 2017?
FedRAMP is a program which is focused on constant improvements. For that reason, they put a huge effort in trying to improve the standardized approach they offer and present it as the best possible solution for securing Governmental data among agencies who use CSPs.
With that thought, they have decided to exclude the CSP Supplied Compliance form the Security Assessment Framework form 2017 and focus on the other two, JAB and Agency Authorization.
FedRAMP explains this decision as a result of the fact that CSP-Supplied compliance has been the least utilized out of the three options. And unfortunately, a great part of the CSP-Supplied packages submitted to the PMO failed in passing the compliance review.
They explain on their official site:
“After numerous interviews with CSPs, agencies, and 3PAOs, we concluded that CSP-Supplied had the lowest demand and was too risky, costly, and resource intensive for both industry and the FedRAMP PMO.”
As an alternative, they offer the option to pursue the redesigned FedRAMP Ready process.
”While CSP-Supplied is going away, we believe the redesigned FedRAMP Ready will better prepare CSP’s for a JAB provisional authorization or help identify an agency sponsor for authorization, with it happening faster, cheaper, and with more certainty.”
Image Source: https://www.fedramp.gov
With an intent to unburden FOIA agencies in adopting CSPs, the National Institute of Standards and Technology initiated the development of FedRAMP.
As a government-wide program which provides a standardized approach to security assessment, authorization, and continuous monitoring for CSPs, FedRAMP is in constant evolution.
Since its creation, the framework has significantly evolved. And one such proof is the 2017 Security Assessment Framework.
This framework is a huge help for FOIA agencies that are in search for a CSP which, believe it or not, is not an easy job. It carries lots of risks and costs.
Thanks to FedRAMP, FOIA agencies can now rely on the assessment framework and spend their time responding to more FOIA requests and reducing backlogs.
If you have any comments or questions about the FedRAMP compliance, feel free to ask. We will be glad to help you.