Everything You Need to Know to Prepare for and Achieve FedRAMP Authorization
FedRAMP, the Federal Risk and Authorization Management Program, is a framework your organization can use to build cloud security into your overall security program, including cloud security assessments, monitoring, and process implementation. FedRAMP is a requirement for all cloud services providers (CSPs) and cloud solutions used by federal government agencies that handle federal data.
The FedRAMP program has been in place for nearly a decade, following a 2011 memo from the U.S. Federal Office of Management and Budget (OMB) establishing guidelines for federal cloud security. Since then, an increasing number of federal agencies have adopted cloud technologies and cloud services providers, opening up new avenues for bad actors wanting to maliciously access, exfiltrate, or corrupt sensitive and important federal information.
In this FedRAMP compliance knowledgebase, we’ll help you better understand what FedRAMP is, who should be FedRAMP authorized, and establish a foundation to help set you on the course for a FedRAMP authorization. Here’s what you’ll learn:
FedRAMP is a framework you can use to build cloud security into your overall security program. It is mandatory to work with federal agencies.
Learn MoreIf you’re a CSP or cloud solution and you want to work with federal agencies, you should be FedRAMP compliant with FedRAMP authorization.
Learn MoreAdopting the FedRAMP framework for cloud security brings a range of benefits to your organization’s cloud security program.
Learn MoreFedRAMP controls align with FIPS 199 impact levels and should be used to help determine which controls are applicable to your organization.
Learn MoreThe JAB works with about 12 multi-tenant, multi-capabilities CSPs each year for FedRAMP Provisional Authority to Operate (P-ATO) authorizations.
Learn MoreIndividual CSPs with fewer capabilities are good candidates for individual agency Authority to Operate (ATO) designation.
Learn MoreTo become FedRAMP authorized, you will need to successfully implement a range of FedRAMP cloud security controls based on your product’s impact level.
Learn MoreBefore you undergo a formal assessment from a 3PAO, you should conduct internal reviews on control effectiveness and mitigate security issues.
Learn MoreThere are many cybersecurity frameworks to consider. Is FedRAMP or another framework right for you? Maybe more than one or a hybrid? Learn more in our webinars.
Learn MoreSearching for tools, guidance, and assistance with FedRAMP compliance? Try the FedRAMP Marketplace.
Learn MoreApptega is the industry’s best solution to help simply and streamline all of your FedRAMP compliance needs for increased security visibility and oversight.
Learn More
From cost-savings to ease of scaling, cloud solutions provide organizations with a number of benefits, but moving protected and sensitive federal data from on-premises to the cloud also creates new challenges.
Among these challenges are increasingly complex methods needed to secure data, especially for small and mid-sized businesses (SMBs) that may lack the resources or available talent to add cloud security into existing cybersecurity practices.
Threat actors know many CSPs and other cloud solutions have access to a gamut of sensitive and valuable data and that puts them increasingly in these attackers’ crosshairs for nefarious actions. Oracle’s 2020 Cloud Threat Report, for example, reveals that 92% of respondents know they have a cloud-readiness gap and more than half—60%—say they’ve been victims of cloud credentials phishing.
The federal government established FedRAMP to help streamline best practices for cloud security for all federal agencies and the partners they work with. Before the General Services Administration (GSA) established the FedRAMP Program Management Office (PMO) in 2012, these federal agencies had their own security requirements for CSPs. Before FedRAMP, if one agency approved a cloud service provider, the CSP had to go through a repeat process before approval by another. As a result, there was little consistency and a lot of duplicate work, both for the government and their potential services partners.
Today, these cloud security best practices are aligned with the Federal Information Security Modernization Act (FISMA), which requires all agencies to protect federal data, and OMB Circular A-130, which dictates that agencies use National Institute of Standards and Technology (NIST) standards when implementing FISMA.
FedRAMP streamlines cloud security approaches into standardized security measures your organization can implement and measure with a common baseline.
There are two ways your organization can become FedRAMP authorized. One is by earning a Joint Authorization Board (JAB) Provisional Authority to Operate (P-ATO) and the other is to earn an individual FedRAMP Agency Authorization to Operate (ATO). If your organization successfully completes a FedRAMP authorization to work with one federal agency, you can use that authorization package to work with other agencies.
Organizations that successfully obtain authorization must undergo continuous monitoring and are subject to annual re-assessments to retain authorized status.
There are 17 core FedRAMP domains your organization must master and demonstrate to obtain and retain for FedRAMP compliance. These controls align with NIST SP 800-53 standards, but have been adjusted to reflect the specific needs of cloud environments. If you’re like most organizations, you may already have some or all of these controls in place, but without a cybersecurity framework management platform like Apptega, it can be difficult to see all of your controls, which ones are working as designed, and where you may have security gaps. Apptega can help you streamline this process and approach your FedRAMP authorization journey with unprecedented confidence and reliability.
Here are some of the ways Apptega can help you on your FedRAMP compliance journey:
If you’re a cloud service provider or host a cloud software solution and you create, process, store, or transmit federal data, you are required to be FedRAMP complaint and successfully earn—and maintain—a FedRAMP authorization.
In addition to being able to do business with federal agencies, as a FedRAMP authorized organization, you can expand your service offerings to other federal agencies and demonstrate to these agencies and others that you take information security seriously and that you’ve implemented, tested, and demonstrated that your data security controls are effective and meet industry best practices.
Today, there are 218 cloud services organizations in the FedRAMP Marketplace that have successfully earned FedRAMP authorization. Another 54 are in process with an additional 35 designated as FedRAMP Ready.
There are a number of benefits of adopting cloud security best practices from industry-approved frameworks.
Frameworks such as FedRAMP remove the guesswork from your processes and help you build a cloud security program with controls and procedures other organizations have successfully implemented and demonstrate effectiveness against potential breaches and other cyber-threats.
Another benefit of FedRAMP framework adoption is it can help your organization decrease duplicate efforts and achieve cost and process efficiencies. For example, if you successfully earn a FedRAMP authorization from one federal agency, you can use that authorization package as a foundation for working with other agencies.
FedRAMP aligns with other industry recognized best practices for security such as FISMA and NIST. FISMA mandates that all agencies protect federal data, while NIST standards define requirements for cloud security including how to do assessments and what processes you should implement to successfully ensure FedRAMP compliance. If your organization has already implemented NIST SP 800-53 standards, you may be well on your way to earning your FedRAMP Authorized designation. That’s because FedRAMP controls are based on NIST 800-53 standards but they’ve been adjusted to meet cloud security needs.
Did you know that you can use Apptega to crosswalk multiple security frameworks used by your organization?
Apptega’s Harmony intelligent framework mapping engine helps you manage all of your controls, giving you insight into where individual controls are applicable across multiple frameworks, including sub-controls, resources, and security related activities. Harmony helps you eliminate redundancy, gives you insight into the effectiveness of your controls, and helps you quickly identify gaps that need more attention.
“With Apptega, we now have the visibility needed to know the true status of our program at any time.”
"I would absolutely recommend Apptega for anyone looking to elevate their compliance program from a static source to something that can be used to actively track and manage your compliance."
FedRAMP outlines three impact levels for cloud security offerings:
FedRAMP impact levels align with three core security objectives:
Before beginning your FedRAMP authorization process, you should understand which impact level is applicable for your organization. Let’s take a closer look at each level and what they mean in relation to Federal Information Processing Standards 199 (FIPS), which establishes standards organizations must meet for information systems and information categorization:
Low Impact: This means the loss of confidentiality, integrity, and availability of information would have a low level of impact on a federal agency, including assets, individuals, and operations. FedRAMP Low Baseline represents 125 controls, while Low-Impact Software as Service (SaaS) is based on 36 controls
Moderate Impact: This means the loss of confidentiality, integrity, and availability of information would have a serious level of impact on a federal agency, including assets, individuals, and operations.
High Impact: This means the loss of confidentiality, integrity, and availability of information would have a severe or catastrophic level of impact on an agency’s assets, individuals, or operations.
If you’re a cloud services provider or a cloud software provider and you want to work with federal agencies, you’ll need to obtain formal authorization first. There are two types of authorization that demonstrate your organization meets FedRAMP compliance requirements:
Each year the Joint Authorization Board (JAB) reviews CSPs on the government’s behalf to determine each CSPs risk posture. Each year, JAB generally selects about 12 large, multi-tenant CSPs for P-ATO consideration, usually three for each quarter.
During this process, the JAB will determine if the CSP meets all FedRAMP requirements and will determine if the CSPs capabilities are applicable to multiple federal agencies. If yes, the CSP can undergo the process to obtain P-ATO authorization, and once designated, will remain under JAB ongoing monitoring and will be subject to annual reviews to ensure sustained compliance.
Here’s a quick walkthrough of the P-ATO authorization process:
Most organizations will want to pursue an individual ATO. That means your capabilities aren’t as far-reaching or not likely to be as widely adopted as a larger cloud solution. This is generally applicable for organizations that want to work with just one or two federal agencies. Unlike P-ATO, which is overseen by a board, an ATO designation comes directly from the federal agency you want to work with. If you successfully earn an ATO authorization, it’s tied directly to that agency, but you can work with other federal agencies for authorization by using your initial ATO as a starting point; however, you may be asked to meet additional requirements or address other security requirements for each new agency you want to work with.
Here’s a quick walkthrough of the Agency ATO authorization process:
FedRAMP controls are divided among 17 core domains, which can also be referred to as control families. Each of these 17 families spans three primary classes: technical, operational, and management.
The FedRAMP control families are based on NIST 800-53 standards, but each control is adjusted to reflect specific requirements to secure cloud environments. Each domain, or family, consists of a grouping of controls directly related to your CSPs impact level. For example, there are 125 controls for low-level impact systems; 325 controls for moderate-level impact systems; and 421 controls for high-level impact systems. You can refer to FIPS 199 to determine your CSPs’ impact level related to FedRAMP control requirements.
For example, if your solution is considered low-impact, under the Access Control family, you’d be expected to meet 11 controls; however, if your solution is moderate impact, you’d have to meet 17 controls for the Access Control family.
Here are the 17 core families:
For a complete list of all the domains, classes, and control requirements, check out the FedRAMP Control Quick Guide from GSA at https://www.gsa.gov/cdnstatic/FedRAMP_Control_Quick_Guide_V12_%281%29.pdf.
Whether you’re preparing for a readiness assessment or you’re prepping your security package for FedRAMP authorization review, some best practices can help you streamline your processes, improve documentation, and approach your assessments with confidence.
Here are a few general recommendations to help you prepare for your FedRAMP assessments:
With more than 20 major cybersecurity frameworks on the market, how do you know which one is right for you? Do you need more than one framework to meet all of your compliance and regulatory obligations? Do you have controls from one framework that meet the requirements of another? Not sure what to do or where to begin? In this webinar, you’ll learn more about::
• Common cybersecurity frameworks
• How organizations use these frameworks
• Where there are commonalities between frameworks
• What differentiates each framework from others
• How to manage the frameworks you implement
Whether you’re preparing for an internal review or you’re getting ready for a formal 3PAO assessment, you’ll want to approach your FedRAMP authorization reviews with confidence, while ensuring you have all the documentation you need to demonstrate compliance and make your assessments as painless as possible. In this webinar, listen in on guidance from a panel of experts who have successfully participated—and passed—audits across a range of industries and compliance requirements, including:
• Best practices for audit preparation
• Tips from industry pros
• Common failures in the audit process
• How to mitigate risk for audit success
• How to gather you need to support auditor requests
The FedRAMP Marketplace in CyberXchange is a great place to find resources for FedRAMP compliance. It’s mapped to FedRAMP controls and for each gap or compliance issue, you can find solutions that meet your specific needs. Join thousands of CISOs, CIOs and other cyber professionals in finding perfect-fit solutions for all your FedRAMP needs.
FedRAMP, the Federal Risk and Authorization Management Program, is a framework that establishes a standardized approach for cloud security assessments, monitoring, and process implementation. FedRAMP authorization is required for all cloud services providers and cloud software solutions that create, processes, store, or transmit federal data.
There are three impact levels related to FedRAMP: low, moderate, and high.
Here are some well-known companies with FedRAMP authorization: Adobe, Amazon Web Services (AWS), BlackBerry, Canon, Cisco, Deloitte, DocuSign, GitHub, Google Cloud Service, Hootsuite, IBM, McAfee, Microsoft Azure, Okta, Oracle, Salesforce, Trello, and Zoom. For a complete list of approved CSPs, visit https://marketplace.fedramp.gov.
FedRAMP compliance resources are in Apptega’s FedRAMP Marketplace. In the marketplace, you can quickly access products and services to help you with your FedRAMP authorization process, including access to consultants with expertise in your specific compliance areas. You can also find additional supporting documents and templates at https://www.fedramp.gov/documents-templates.
Managing cloud security controls can be tricky even for skilled cybersecurity teams. That’s because many common IT security practices for on-premises solutions don’t work well for the cloud. But adding another layer of security to your already busy cybersecurity teams doesn’t have to overwhelm them. A cybersecurity framework management solution like Apptega can help you implement, streamline, and manage all of your controls across all your frameworks, regardless of environment.
©2023 All Rights Reserved. Apptega® is a registered trademark Apptega, Inc. | Privacy Policy