Five steps to make FedRAMP work for you

The rigor and integrity of the Federal Risk and Authorization Management Program’s security assessment of cloud service providers lends credibility, and ultimately facilitates public sector IT's migration to cloud-based solutions.

However, CSPs have found themselves unprepared for the granularity of the FedRAMP assessment process. This unpreparedness will result in the delay of not only the approvals but also the government’s adoption of the cloud offerings. The following five steps will help guide CSPs looking to move through the process a little smoother.

1. Understand the process; be prepared

CSPs need to understand the rules of the game. The FedRAMP assessment process, based on the National Institute of Standards and Technology’s NIST 800-53 rev3 document, characterizes the controls that IT systems need to have in place for various levels of security compliance.

As an absolute baseline, CSPs need to review and understand the controls in the System Security Plan. The plan is available for download on the FedRAMP website - FedRAMP Security Controls.

2. Complete an internal audit

Before moving any further, the CSP must determine what impact level they would like to pursue and conduct an internal audit. The CSP will need to look at FedRAMP’s System Security Plan and see what needs to be done to meet each control. Ask — how does each control apply and document how that control is met. The more complete the documentation is now, the smoother things will be later in the process.

3. Determine what approach to take

There are currently four ways for a CSP to be listed in the FedRAMP repository.

I - One of the most popular and most common ways to obtain an Authority to Operate (ATO) is for the CSP to work with a FedRAMP Program Management Office (PMO), and initiate a relationship with a third party auditing organization (3PAO). The 3PAO will put a package together that consists of the Systems Security Plan, the Assessment Plan and the Assessment Report and submit it to the FedRAMP PMO. Once submitted, it is reviewed and if meets requirements, it will be approved by the Joint Advisory Board (JAB) and the CSP will be provided with a provisional ATO.

II - A CSP can hire a third party auditor who will put the package together and submit it. While an ATO is not issued by either the JAB or an agency, the package is there for agencies to use. It is conceivable that an agency could use the package and consider offering an agency ATO if they find the package complete.

III - A governmental agency can use the FedRAMP package (the three core documents mentioned above) and can put the CSP through its paces. The governmental agency can issue its own ATO for that provider and they can submit their findings in a package to FedRAMP. In this case, it's the governmental agency providing the ATO and there is no FedRAMP 3PAO involved. Other agencies can then access the package in the repository for possible re-use.

IV - The final option is an agency ATO with a FedRAMP 3PAO. In this instance, a governmental agency uses the FedRAMP templates and a 3PAO is used for the audit. The agency authorizes an agency ATO and then the whole package is submitted to FedRAMP for other agencies to leverage.

The main take-a-way here is to understand the package and process. Do your homework and pre-assessment work. And, if possible, find an agency that is interested in your product to actually lead the effort.

4. Find the right auditor

This may be the case where the CSP will need to find a 3PAO, or it may be the agency the CSP is working with that will find the 3PAO. But again, finding the right third party auditing organization is key. There is a finite list of companies authorized to do these audits.

5. Regardless of the approach...don’t leave out the PMO

CSPs need to engage the PMO because in many cases, they are the ones that will “get” the certain controls listed in the System Security Plan. If you read the controls, they are mostly looking for processes, procedures and technology being used to meet said control For example, to meet the fire suppression requirement the question arises when the auditor comes in – “how do we actually ‘test’ that control?” Do they turn on a sprinkler system in a data center full of servers, or do they know the sprinkler will work when needed because it was tested at some point, has been properly maintained, and the process has been documented. This is where it is important to involve the PMO and actually understand the intent of what should be tested in the audit.

FedRAMP is not a process for those who are looking for a quick and easy security assessment. But there are significant benefits in going through the process and if CSPs follow the five steps outlined in this article, there will be a higher level of understanding and success in obtaining an ATO.

About the author
David Blankenhorn joined DLT Solutions as its chief cloud technologist in early 2011 where he leads the DLT Cloud Advisory Group.