“Cloud solutions allow for faster processing and more elasticity in computing in an on demand, more efficient platform. However, incorporating the cloud into our Federal IT infrastructure has proven difficult. Currently, there is a redundant, inconsistent, time consuming, costly, and inefficient risk management approach to cloud adoption. In addition, there is little incentive to leverage existing Authorizations to Operate (ATOs) among agencies. The Federal Government spends hundreds of millions of dollars a year securing the use of IT systems.
The solution? FedRAMP.
The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework that saves an estimated 30-40% of government costs, as well as both time and staff required to conduct redundant agency security assessments. FedRAMP is the result of close collaboration with cybersecurity and cloud experts from the General Services Administration (GSA), National Institute of Standards and Technology (NIST), Department of Homeland Security (DHS), Department of Defense (DOD), National Security Agency (NSA), Office of Management and Budget (OMB), the Federal Chief Information Officer (CIO) Council and its working groups, as well as private industry.
- Accelerate the adoption of secure cloud solutions through reuse of assessments and authorizations
- Increase confidence in security of cloud solutions
- Achieve consistent security authorizations using a baseline set of agreed upon standards to be used for cloud product approval in or outside of FedRAMP
- Ensure consistent application of existing security practice
- Increase confidence in security assessments
- Increase automation and near real-time data for continuous monitoring
- Increase re-use of existing security assessments across agencies
- Save significant cost, time, and resources – “do once, use many times”
- Improve real-time security visibility
- Provide a uniform approach to risk-based management
- Enhance transparency between government and Cloud Service Providers (CSPs)
- Improve the trustworthiness, reliability, consistency, and quality of the Federal security authorization process
There are three main players in the FedRAMP process: Agencies, CSPs, and Third Party Assessment Organizations (3PAOs). Agencies are responsible for selecting a cloud service, leveraging the FedRAMP Process, and requiring CSPs to meet FedRAMP requirements. CSPs provide the actual cloud service to an Agency, and must meet all FedRAMP requirements before they implement their services. 3PAOs perform initial and periodic assessment of CSP systems per FedRAMP requirements, provide evidence of compliance, and play an on-going role in ensuring CSPs meet requirements. FedRAMP provisional authorizations (P-ATOs) must include an assessment by an accredited 3PAO to ensure a consistent assessment process.
FedRAMP authorizes cloud systems in a three step process:
- Security Assessment: The security assessment process uses a standardized set of requirements in accordance with FISMA using a baseline set of NIST 800-53 controls to grant security authorizations.
- Leveraging and Authorization: Federal agencies view security authorization packages in the FedRAMP repository and leverage the security authorization packages to grant a security authorization at their own agency.
- Ongoing Assessment & Authorization: Once an authorization is granted, ongoing assessment and authorization activities must be completed to maintain the security authorization.
FedRAMP is a government-wide program with input from numerous departments, agencies, and government groups. The program’s primary decision-making body is the Joint Authorization Board (JAB), comprised of the CIOs from DOD, DHS, and GSA. In addition to the JAB, OMB, the Federal CIO Council, NIST, DHS, and the FedRAMP Program Management Office (PMO) play keys roles in effectively running FedRAMP.”