David Blankenhorn

OPINION

Five steps to make FedRAMP work for you

Preparation is critical to success

The rigor and integrity of the Federal Risk and Authorization Management Program’s security assessment of cloud service providers lends credibility, and ultimately facilitates public sector IT's migration to cloud-based solutions.

However, CSPs have found themselves unprepared for the granularity of the FedRAMP assessment process. This unpreparedness will result in the delay of not only the approvals but also the government’s adoption of the cloud offerings. The following five steps will help guide CSPs looking to move through the process a little smoother.

1. Understand the process; be prepared

CSPs need to understand the rules of the game. The FedRAMP assessment process, based on the National Institute of Standards and Technology’s NIST 800-53 rev3 document, characterizes the controls that IT systems need to have in place for various levels of security compliance.

As an absolute baseline, CSPs need to review and understand the controls in the System Security Plan. The plan is available for download on the FedRAMP website - FedRAMP Security Controls.

2. Complete an internal audit

Before moving any further, the CSP must determine what impact level they would like to pursue and conduct an internal audit. The CSP will need to look at FedRAMP’s System Security Plan and see what needs to be done to meet each control. Ask — how does each control apply and document how that control is met. The more complete the documentation is now, the smoother things will be later in the process.

3. Determine what approach to take

There are currently four ways for a CSP to be listed in the FedRAMP repository.

I - One of the most popular and most common ways to obtain an Authority to Operate (ATO) is for the CSP to work with a FedRAMP Program Management Office (PMO), and initiate a relationship with a third party auditing organization (3PAO). The 3PAO will put a package together that consists of the Systems Security Plan, the Assessment Plan and the Assessment Report and submit it to the FedRAMP PMO. Once submitted, it is reviewed and if meets requirements, it will be approved by the Joint Advisory Board (JAB) and the CSP will be provided with a provisional ATO.

II - A CSP can hire a third party auditor who will put the package together and submit it. While an ATO is not issued by either the JAB or an agency, the package is there for agencies to use. It is conceivable that an agency could use the package and consider offering an agency ATO if they find the package complete.

III - A governmental agency can use the FedRAMP package (the three core documents mentioned above) and can put the CSP through its paces. The governmental agency can issue its own ATO for that provider and they can submit their findings in a package to FedRAMP. In this case, it's the governmental agency providing the ATO and there is no FedRAMP 3PAO involved. Other agencies can then access the package in the repository for possible re-use.

IV - The final option is an agency ATO with a FedRAMP 3PAO. In this instance, a governmental agency uses the FedRAMP templates and a 3PAO is used for the audit. The agency authorizes an agency ATO and then the whole package is submitted to FedRAMP for other agencies to leverage.

The main take-a-way here is to understand the package and process. Do your homework and pre-assessment work. And, if possible, find an agency that is interested in your product to actually lead the effort.

4. Find the right auditor

This may be the case where the CSP will need to find a 3PAO, or it may be the agency the CSP is working with that will find the 3PAO. But again, finding the right third party auditing organization is key. There is a finite list of companies authorized to do these audits.

5. Regardless of the approach...don’t leave out the PMO


CSPs need to engage the PMO because in many cases, they are the ones that will “get” the certain controls listed in the System Security Plan. If you read the controls, they are mostly looking for processes, procedures and technology being used to meet said control For example, to meet the fire suppression requirement the question arises when the auditor comes in – “how do we actually ‘test’ that control?” Do they turn on a sprinkler system in a data center full of servers, or do they know the sprinkler will work when needed because it was tested at some point, has been properly maintained, and the process has been documented. This is where it is important to involve the PMO and actually understand the intent of what should be tested in the audit.

FedRAMP is not a process for those who are looking for a quick and easy security assessment. But there are significant benefits in going through the process and if CSPs follow the five steps outlined in this article, there will be a higher level of understanding and success in obtaining an ATO.

About the author
David Blankenhorn joined DLT Solutions as its chief cloud technologist in early 2011 where he leads the DLT Cloud Advisory Group.



Reader Comments

Thu, Jun 27, 2013 Mouse in the Wall FedRAMP Bldg

There are actually only 3 ways to get in the FedRAMP repository. Item II as described is not actually accurate.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here
close
SEARCH
contracts DB

Trending

  • Dive into our Contract Award database

    In an exclusive for WT Insider members, we are collecting all of the contract awards we cover into a database that you can sort by contractor, agency, value and other parameters. You can also download it into a spreadsheet. Read More

  • Is SBA MIA on contractor fraud? Nick Wakeman

    Editor Nick Wakeman explores the puzzle of why SBA has been so silent on the latest contractor fraud scandal when it has been so quick to act in other cases. Read More

Webcasts

  • How Do You Support the Project Lifecycle?

    How do best-in-class project-based companies create and actively mature successful organizations? They find the right mix of people, processes and tools that enable them to effectively manage the project lifecycle. REGISTER for this webinar to hear how properly managing the cycle of capture, bid, accounting, execution, IPM and analysis will allow you to better manage your programs to stay on scope, schedule and budget. Learn More!

  • Sequestration, LPTA and the Top 100

    Join Washington Technology’s Editor-in-Chief Nick Wakeman as he analyzes the annual Top 100 list and reveals critical insights into how market trends have impacted its composition. You'll learn what movements of individual companies means and how the market overall is being impacted by the current budget environment, how the Top 100 rankings reflect the major trends in the market today and how the biggest companies in the market are adapting to today’s competitive environment. Learn More!