The Federal Risk and Authorization Management Program (FedRAMP) is the culmination of multiple decades worth of standardization, coordination and streamlining to allow for federal use of cloud services in a secure manner. With contracts in the billions of dollars, such as the canceled JEDI cloud contract for the pentagon, being able to showcase clearly and concisely that a company is ready to go if given the green light is a huge deal. With that in mind, we’re going to be going over what it will take to build your FedRAMP certification and compliance team.
What is FedRAMP’s purpose?
As we mentioned above, FedRAMP’s primary goal is to promote, accelerate and standardize the use of secure cloud services across a wide range of federal government departments. Going from on-premises servers to cloud services can open up a can of worms when it comes to potential hazards, which is why FedRAMP sets the standard for security and risk assessments for federal agencies. FedRAMP’s standards are based on a collaboration between the National Institute of Standards and Technology (NIST), the Department of Defense (DOD), the Department of Homeland Security (DHS) and the General Services Administration (GSA). NIST rules and guidelines are used as a baseline to create cloud service providers (CSP) standards, how the offerings from the CSPs will be assessed, the pathway to authorization and how contracts will be written.
FedRAMP versus other compliance standards
The contents of FedRAMP’s rules are primarily taken from two NIST standards: NIST Special Publication 800-37 (800-37) – Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, and NIST Special Publication 800-53 (800-53) – Security and Privacy Controls for Information Systems and Organizations. These documents revolve around the idea of creating a risk management framework, minimizing risk wherever possible then documenting and monitoring these systems actively to make sure that they remain in compliance. Because of this general purpose, one might very well ask why not just use existing standards such as ISO/IEC 27001? The short answer is because some of the existing standards do not cover particular aspects that FedRAMP does. On the publication page for NIST SP 800-53, mappings are available for some other standards such as the NIST Cybersecurity Framework and ISO /IEC 27001. As of the time of writing, there are many places where 800-53 and ISO/IEC 27001 align, but in others, they differ. One of the examples shown during the mapping, for instance, is in the handling of Personally Identifiable Information (PII). 800-53 has controls specifically to address the privacy requirements in handling PII, while ISO/IEC 27001 only specifically calls out the benefits for keeping PII secure. The same concepts also apply to some other standards, such as SOC 2, which cover many of the same broad concepts, but what about other existing government standards such as the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC)? In some respects, they both tread the same ground. Both tie back into NIST standards, for example, including 800-53 and a subset of 800-53 created specifically for government contractors, 800-171. However, the standards themselves aren’t necessarily the sticking point here. According to John Verry, CISO at Pivot Point Security, the main difference between CMMC and FedRAMP revolves around the scope. CMMC can handle both Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). As a result, even though they may be operating at similar levels, they don’t necessarily cover the same material.
What people need to be on our certification and compliance teams?
It may sound a bit overdramatic, but the number of controls and the amount of documentation required is staggering. The FedRAMP System Security Plan (SSP) can be hundreds of pages long, with multiple appendices. There are also several levels that the CSP can be assessed at low, moderate or high. Historically, the lion’s share of CSPs has chosen to go with either a moderate or high rating, rated at 325 security controls and 421 controls, respectively. Many with multiple components each. Since there is so much that needs to be covered, it may be of great benefit to use the NICE Workforce Framework for Cybersecurity (NICE Framework). It can be a tremendous help when trying to get multiple departments on the same page when developing employee responsibilities and looking for potential hires. To start with, the scale of becoming FedRAMP certified requires a commitment at the highest levels of any organization involved in it. As such, we’ll want to make sure that our Executive Cyber Leadership (Work Role ID: OV-EXL-001) has not only signed off on the project but is actively involved since FedRAMP is legally binding for the organization and its staff. Along those same lines, our Cyber Legal Advisor (Work Role ID: OV-LGA-001) will also want to be involved from the very start to be able to showcase any potential pitfalls from a legal perspective. Once the organization is committed to the project, staff members will need to be ready to manage and implement the certification, along with those that will verify compliance both during and after project completion. The information systems security manager (work role ID: OV-MGT-001) will need to ensure that staff members stay on track and have the skills necessary to work on the certification. The IT project manager (work role ID: OV-PMA-002) will be handling timing and balancing between different tasks and stages as implementation progresses. The privacy officer/privacy compliance manager (work role ID: OV-LGA-002) should be brought in as early as possible during the planning phases to ensure that privacy compliance requirements are implemented right from the get-go. Enterprise and security architects (work role ID: SP-ARC-001 and SP-ARC-002) will need to be ready and able to design the solutions required to meet or exceed the requirements for certification. System and database administrators (work role ID: OM-ADM-001 and OM-DTA-001) will need to build and manage the systems designed to run and store data securely, while network operations specialists (work role ID: OM-NET-001) will handle secure communications between disparate systems. While the systems are being constructed, the cyber policy and strategy planner (work role ID: OV-SPP-002) will need to develop the plans and policies necessary to prove compliance with FedRAMP requirements. This will be verified both during implementation and after completion by IT program auditors (work role ID: OV-PMA-005), with their final findings placed into the SSP as part of the deliverable.
How does an organization get authorized?
There are two different paths to authorization: Joint Authorization Board (JAB) Authorization or Agency Authorization. JAB Authorization is highly selective, with around a dozen products a year granted Provisional Authority to Operate (P-ATO). To start, the CSP must have their FedRAMP Ready designation already, or they will have 60 days to become compliant. After this, they will need to deliver their SSP and have a third-party assessment organization (3PAO) perform a full security assessment. Once the 3PAO has the security assessment report (SAR), the CSP will develop a plan of action and milestones (POA&M) to address and track risks noted in the SAR. All of these deliverables, plus a month of continuous monitoring data, will need to be placed into templates provided by FedRAMP and submitted at least two weeks before the authorization review with the JAB begins. This can take a considerable number of weeks before an authorization is complete. After authorization, continuous monitoring and annual assessments will continue for as long as the certification remains active. The agency authorization is very similar, but instead of going directly through the JAB, they will be working with the particular agency they want to do business with. The nice thing about this route is that once a CSP is certified, the certification will be acknowledged by any other department wishing to do business with the CSP.
How much does this cost?
The exact cost can vary wildly depending on levels, staff involved, monitoring expenses and a host of other responsibilities. A presentation developed by MITRE shows the median cost for a CSP to obtain provisional authority to operate of around $2.25 million, with another $1 million yearly to maintain continuous monitoring.
Earning the FedRAMP certification
Becoming FedRAMP certified is a massive undertaking and not something that should be entered into unprepared. It requires a huge amount of effort from dozens of people over an extended period, and all of that is to get to the point where you can work with the customer. However, the benefits for the right organizations are staggering and legally required should you choose to work with government agencies. Suppose your CSP is even potentially looking at them as a potential candidate. In that case, you will benefit significantly from doing your homework before talking to any agency or third-party assessment organization.