As a government agency, there are many advantages to being able to tap into cloud technologies. From eliminating time-consuming manual tasks and reducing paperwork, cloud technologies offer a spectrum of efficient and effective improvements over traditional methods. Plus, software as a service (SaaS) subscription-based models can help reduce annual information technology costs.

To implement these technologies, however, you’ll need to comply with the Federal Risk and Authorization Management Program known as  FedRAMP provides a standardized approach for assessing and complying with government security controls, authorizing cloud products and services, and proving continuous monitoring of systems. It’s managed by the FedRAMP Program Management Office (PMO).

FedRAMP authorization can seem daunting, but if you have the right resources and preparation in place, the process can be streamlined and simplified. In fact, there’s a lot less for a Federal agency to do than you might think. The burden is predominantly on the cloud service provider (CSP) whose services you wish to use and its independent assessor over your team and internal resources.

There are several common myths, misconceptions, and questions about FedRAMP requirements and processes – and a few benefits to understand given the investment and effort of the program.

To help clarify, we spoke with expert James Masella, Vice President of Compliance Advisory Services, at Coalfire – a leading provider of IT security assessments for many security standards and payments frameworks and programs, including FedRAMP support.

Masella has been working in IT for 20 years – 15 of them focused on security assessments for Federal controls, most prominently, helping organizations comply with National Institute of Standards and Technology (NIST) cybersecurity controls. Over his career, Masella has accomplished over 70 FedRAMP compliance and assessment projects – and has been working on them since the program’s infancy in 2015. He’s been with Coalfire for eight years.

What is FedRAMP?

If you’re evaluating cloud technologies, such as a workplace and asset maintenance platform, it helps to have a background in the evolution of FedRAMP since there are many different cybersecurity compliance and controls to manage. In fact, the program was created specifically with this knowledge. The entire goal of FedRAMP is to accelerate the adoption of secure cloud solutions in the Federal government.

It streamlines the authorization process for CSPs and improves confidence in the security of cloud solutions. FedRAMP was created by the General Services Administration (GSA) in partnership with the US Department of Defense (DoD) and NIST.

“The big problem that FedRAMP was meant to solve was the Federal government knew it needed to modernize its IT infrastructure because their model was not sustainable,” explains Masella. “Commercial cloud services were a lot more affordable than the way much of the government manages IT infrastructure and provided better services.”

The challenge is having assurance that the security of those commercial cloud services is meeting the requirements for the Federal government. And under the Federal Information Security Modernization Act (FISMA), every federal agency can implement its own security plan if it follows the guidelines of the law – which also include audits and independent assessments.

FedRAMP pulls that all under one umbrella and allows all Federal agencies to leverage independent assessors to reduce duplicate effort within audit and assessment work. But FedRAMP is not a certification – it’s a compliance framework within a Federal program that an organization is either authorized to be a part of or not.

“FedRAMP is a different animal,” says Masella. “You actually are building an information system for Federal government use and the government is authorizing that system for use for Federal data.”

Any vendor who has gone through an extensive audit process can be listed in the FedRAMP marketplace, so Federal agencies can easily find and procure services without having to do additional research or due diligence. It makes it easier for departments, such as the Department of Homeland Security (DHS), DoD, or healthcare organizations including the Centers for Medicare & Medicaid Services (CMS) to purchase products from vetted vendors quickly while reducing costs associated with IT resources.

The good news is there are over 300 authorizations on the FedRAMP marketplace today, and some of them are large, some are small. They’ve all solved many of the challenges and issues already, relays Masella.

Delineation of work under FedRAMP: Who is responsible and for what?

The PMO is responsible for managing documents, such as policies, procedures, standards, guidance documents, templates, checklists, etc., which are used throughout all stages of authorization. The FedRAMP Joint Authorization Board (JAB) reviews all provisional Authority to Operate (ATO) packages before they are authorized.

The 3PAOs – Third Party Assessment Organizations – conduct independent security assessments for agencies before issuing a Provisional ATO. These 3PAOs assess each system’s compliance with NIST 800-53 standards, as well as other requirements specified by each agency or department at four different Impact Levels ranging from Low to High. Coalfire is an example of a 3PAO.

“In the case where a CSP has engaged an advisor, the advisor entities are doing all of the work,” says Matella. “The [government] agency just has their due diligence under the law to review the risk. That’s it. It’s the same thing they would have to do if they were the second agency or the last agency or the agency in the middle. There is no difference.”

The heavy lift and burden are accomplished by the 3PAOs and the cloud service provider.

The requirements for FedRAMP compliance

Depending on the risk associated with a particular service, organizations must demonstrate their commitment to security to gain authorization from the JAB. The requirements range from basic NIST 800-53 Rev 4 controls at Low Impact Level (Level 1) all the way up to DHS Risk Management Framework regulations and additional physical protection measures at High Impact Level (Level 3).

Once a Provisional Authority to Operate (PATO) has been granted, it is valid for three years, however organizations are expected to continuously monitor their systems and update any changes made since initial authorization was granted.

Preparing for FedRAMP: What you need to know

If this is the first time you are dealing with FedRAMP, it’s important to understand some of the most common issues that can arise. Many of these will be the burden of the CSP you wish to use – but it’s better to know what they are upfront.

First, it’s important to communicate to the CSP your specific agency’s policies on who can access information. Some hurdles involve the standards and requirements themselves, relays Matella. These include technology and process compliance areas, such as validated encryption, requirements of internal flows, and connections to external services — they all must be FedRAMP authorized.

“In many cases, it’s not a Fed RAMP requirement, but it can be a requirement from agencies that only US persons or US citizens can actually access the production environments,” he says. “And many of these commercial cloud services are supported by offshore support and many have a ‘follow the sun’ (operational) model.”

As Masella points out, these issues have been dealt with before by other agencies and CSPs, but it’s one that needs to be addressed and understood from the outset.

Secondly, CSPs themselves may think they know compliance, but it can be more work than they know. Many IT leaders assume they have the expertise in-house to handle FedRAMP since they already have an internal security team. Just because they have a robust engineering team, it doesn’t mean it’s going to be easy to architect a system to meet FedRAMP requirements.

“Many times, the engineering teams are great at designing infrastructure and applications, but once you take away a lot of the tools that they have been using or you have to implement some new measures that they didn’t have to have before, this can complicate things,” says Masella.

For example, perhaps a CSP doesn’t perform vulnerability scanning internally or they don’t do file integrity management today and must implement and use it. Now they’re having to decide on new tool sets – which take time to evaluate and get up to speed.

The other problem area Masella sees a lot is not having the business case worked out and detailed enough for the investment. If the CSP hasn’t done enough market research, they can easily get derailed.

“[A CSP] might not be able to get that first initial authorizing agency, might not get on the marketplace, might start the investment and it begins to get pretty big, and the return-on-investment case might not be there,” says Masella.

The best guidance is for the CSP to work with an experienced, third-party FedRAMP advisor preparation provider. And as he points out, many of the challenges and pitfalls can be avoided since much of it has been sorted out already. Getting this kind of information upfront will help you speed up your FedRAMP authorization process overall.

 

FedRAMP checklist

Common FedRAMP questions

  • Is FedRAMP a certification?
  • How long should it take to finish the FedRAMP process?
  • What should be prioritized first when seeking FedRAMP authorization?
  • Can artificial intelligence help speed up the process?

Common FedRAMP misconceptions

  • Our agency will have to do a lot of heavy lifting of the work.
  • The CSPs engineering team work on security compliance already, so FedRAMP work should be easy.
  • FedRAMP takes a lot longer than it should.

 

FedRAMP Questions / Misconceptions Answers
Is FedRAMP a certification? No, it’s a program. You use a compliance framework, audits, assessments to be authorized to be within FedRAMP.
How long should it take to finish the FedRAMP process? It depends. Very fast is 90 days. Most common is 9 to 12 months depending on prioritization and changes needed.
What should be prioritized first when seeking FedRAMP authorization? Gaps between FedRAMP framework and your current state of compliance.
Can artificial intelligence help speed up the process? AI has a significant role to play in automating the creation and review of documentation packages which could speed up the process and increase the number of services in the marketplace, but it’s not in widespread use yet.
Our Federal agency will have to do a heavy lift. Actually, the CSP we want to use and its 3PAO will do the bulk of the technology and process compliance. Our agency will perform due diligence on risk under the law.
The CSPs engineering team work on security compliance already, so FedRAMP work should be easy. This is the most common pitfall: A large engineering team does not mean you will easily meet FedRAMP requirements.
FedRAMP takes a lot longer than it should. Preparation with CSPs and independent guidance will help speed up the process. Know your specific agency information access policies and communicate them upfront to CSPs. Encourage CSPs to work with a 3PAO.

 

FedRAMP helps government agencies like yours make sure your data remains secure while reducing duplication when purchasing compliant offerings in the approved marketplace. It also provides assurance that any cloud solution used meets pre-defined security requirements, so that you can have peace of mind knowing your data is being always kept safe and secure.

After you go through the FedRAMP process for the first time, it will open up the door to a world of new and evolving cloud technologies forever.

 

What will the workplace of tomorrow look like for government organizations? Join us at Flex/23 D.C. to discover how Archibus is built to support the unique needs of these vital services

Avatar photo

By

Jonathan writes about asset management, maintenance software, and SaaS solutions in his role as a digital content creator at Eptura. He covers trends across industries, including fleet, manufacturing, healthcare, and hospitality, with a focus on delivering thought leadership with actionable insights. Earlier in his career, he wrote textbooks, edited NPC dialogue for video games, and taught English as a foreign language. He holds a master's degree in journalism.