As legacy Federal Proposal Managers, The Pulse has often run into the Federal Risk and Authorization Management Program (FedRAMP) certification requirement in cloud-based Request for Proposals (RFPs). Your Pulse Gals know the basics – FedRAMP is a certification which legitimizes your company’s cloud security policies, and it is increasingly becoming a “Go/No-Go” certification which determines if a GovCon can even compete for certain federal high-dollar value opportunities. Whether you offer cloud services for sale, or you use cloud-based services to run your business, if you do business with the Federal Government, FedRAMP is very likely to be on your radar.
The standardization of FedRAMP and its impact on how the Federal Government procures certain cloud-based products and services is becoming more and more apparent – so we posed the FedRAMP questions you were too afraid to ask.
We sat down with Mr. Ed Bassett from NeoSystems, an Organization that assists Federal Government contractors and other cloud-driven businesses by enabling, running and securing their business through dedicated security and compliance. NeoSystems offers FedRAMP Ready hosting services through their highly secure cloud, meeting data security standards and regulations including AICPA SOC 1 and SOC 2, PCI-DSS, MA 201 CFR 17.00, HIPAA, NIST SP 800-171, DFARS 252.204-7012, FAR 52.204-21, and ITAR compliance requirements.
Is FedRAMP applicable to all IT-Related requirements and/or contracts?
FedRAMP is only applicable for true “cloud services”. The official Government definition of a true cloud service can be found in NIST SP 800-145. There are a lot of services in the marketplace sold as “cloud” that don’t meet the Government’s definition. For an interesting take on a more modern definition click here.
Can anyone submit a FedRAMP Certification? How do you get started?
No contract award is required to start the process – HOWEVER – before you get start the FedRAMP approval process, most companies will find that they will need to enhance some (or perhaps many) of their security controls. Unless a Cloud Service Provider (CSP) designed their offering from the ground up with the FedRAMP security standards in mind (based on NIST SP 800-53) it is very unlikely that it will meet all of the requirements. For example, a cloud offering at the “Moderate Impact Level” must meet 325 different security controls, each specifying a feature or practice that the CSP must implement.
In order to submit a package for evaluation, the CSP must complete an extensive documentation package, including well over 1,000 pages of detailed security documentation explaining all aspects of how the offering meets the required controls. Creating this package is a significant effort. All items must be in the Government prescribed format to facilitate re-use by the Government. Meeting these strict documentation requirements often requires a re-work of the existing documentation.
Once the package is ready, a FedRAMP-certified Third Party Assessment Organization (3PAO) must be contracted to perform a technical review of the documentation package and testing of the system – prior to sending anything to the FedRAMP Program Management Office (PMO). The 3PAO audit is thorough and detailed, including technical penetration testing and collection of compliance evidence to ensure the system security controls are in place, effective, and match the documentation. Timelines and expenses vary, but somewhere in the range of 12-18 months of concentrated effort is required to prepare for and pass a 3PAO audit.
What does “Ready”, “In-Process”, and “Authorized Status” actually mean? What is involved in each status?
The FedRAMP program has three (3) recognized statuses for cloud service offerings. These statuses are listed in the FedRAMP marketplace and explained here.
Ready Status: The Ready Status means the CSP has completed a Readiness Assessment Report (RAR) that has been approved by the FedRAMP PMO. The decision process around the RAR is to determine whether the offering is “ready,” that is, likely to attain Joint Authorization Board (JAB) or Agency authorization were they to submit a package.
In-Process: The In-Process Status means that the service is in the process of being reviewed for authorization by the JAB or an Agency with the end goal of “authorization”. The authorization process involves a very detailed audit of documentation and rigorous security testing by a 3PAO. Since the evaluation process for authorization is more rigorous than the evaluation process for “ready” status, it is very possible some service providers might fail or get rejected.
Authorized: The Authorized Status means the service has been authorized by the JAB or an Agency. This is the point at which at the JAB has issued a Provisional Authority to Operate (P-ATO) or one or more Federal Agencies have issued an Authority to Operate (ATO) approving a cloud service to store and process their Agency’s data. Services in this status can be evaluated by other Agencies by leveraging the existing FedRAMP authorization package.
What is the difference between JAB or Agency authorization?
JAB and Agency Authorization are two (2) paths to authorization under FedRAMP.
The JAB will evaluate selected cloud offerings that it deems have a broad market across many agencies. That is, general purpose solutions. The JAB issues provisional authorizations with the intent that agencies can authorize those services with minimal additional work.
Any Agency can directly authorize cloud services for use within their agency. This is a common path for special purpose solutions of interest only to one or a few agencies.
So now we understand the “Statuses”, what about these “Impact Levels”?
In addition to the different statuses, each FedRAMP cloud service offering must specify a target “Impact Level”: Low, Moderate, or High. Impact levels relate to the sensitivity and criticality of data that can be stored or processed in the cloud service. FedRAMP sets the security standards for each level, adding more stringent security controls as the impact level increases. Moderate is the most common level of offerings and some CSPs have taken their mainline commercial offerings to the FedRAMP Moderate Level. The High Level is mostly populated by specialized offerings specifically built to the stricter standards. Looking on the FedRAMP marketplace, you can see each CSP offering and the impact level it is targeting.
Let’s say I’m a cloud-focused Government Contracting Organization that does not support the DoD, but does support HHS and USAID. Does FedRAMP matter to me?
FedRAMP is mandatory for all cloud services sold to the Federal government. Beyond this, DoD has mandated FedRAMP-equivalent security for contractor systems (non-Federal systems) that store or process certain data. Now, Agencies outside of DoD are starting to ask for FedRAMP-level security for contractor systems. The Department of Energy (DOE) is one example we have seen. There is a FAR clause currently in draft that would extend security requirements similar to those in the DoD’s DFARS 252.204-7012 to civil Agency contractors. Although this is not finalized yet, it is on the near-term horizon so those putting solutions together for non-DoD clients would be wise to avoid a dependency on cloud services that are not FedRAMP. This draft has been extended a few times, so we’re not really sure when it’ll come out. The rule is expected to require compliance with NIST SP 800-171 for all contractors (similar to what DoD has done in the DFARS) and presumably FedRAMP for cloud systems. A good review of all of these regulations can be found here.
Why Should I, the non-IT Government Contracting organization, care about FedRAMP?
If you are currently with an organization that is buying services for the Government that are not cloud computing services (and are not supported by any cloud computing), then FedRAMP plays no role.
However, for an organization in the commercial space and/or an IT buyer who is not mandated to select FedRAMP cloud providers, it still may make sense to shop the FedRAMP marketplace because of the assurance of security that comes with the FedRAMP designation. FedRAMP is more robust and more specific than other security auditing standards used in the commercial sector (most common are AICPA SOC 2 and ISO 27001). The Government, through the FedRAMP program, has set a fairly high bar for security. Because of this, many of the large cloud providers have chosen to take their mainstream offerings through the FedRAMP approval process.
Okay, but what if requirements get bundled or what if I am a subcontractor to a FedRAMP Prime?
The DoD in particular handles the bundling issue with a general DFARS clause that asks whether cloud computing is used in the delivery of the services. The intent there is that each contractor will declare whether they (or any subcontractors) do or do not use cloud computing.
For subcontractors to a Prime CSP whom is FedRAMP certified, the Prime would determine which security controls would apply to the subcontractor and pass those down by contract. More commonly, a Prime contractor utilizes a subcontractor who is already FedRAMP so that they can “leverage” their authorization to obtain their own.
So let’s get to the heart of this whole thing – why did the Federal Government create a FedRAMP Certification? Does FedRAMP actually solve the issues it is trying to address?
The primary reasons for FedRAMP are standardization and re-use. Before FedRAMP, Agencies developed and imposed different documentation standards and different evaluation processes. This was burdensome for the Agencies and for the CSPs.The standards and processes differed across Agencies and the results were not readily re-usable.
The Government’s objective for FedRAMP was to accelerate adoption of cloud technology without sacrificing security. FedRAMP seems to have succeeded in this respect. FedRAMP introduced standardized assessment processes and established a framework for Agencies to easily accept and re-use the assessment documentation to make their own decision regarding the security of a cloud service offering.
The security bar is set fairly high, and the rigorous standardized controls set by FedRAMP do in fact succeed in causing providers to implement security they most certainly would not do on their own (i.e., for commercial reasons). For re-use, both providers and Agencies seem to benefit from only doing the detailed security evaluation one-time. For providers who wish to sell across the Government, this is a benefit.
Like most large-scale Government programs, FedRAMP is not perfect. It does not solve “all” problems, security or otherwise. Standardization is a double-edged sword. On one side, providers and agencies benefit by knowing what is required from the start. On the other side, the FedRAMP security standards are very prescriptive and the process requirements are very onerous. For example, many have complained that this makes FedRAMP too expensive for smaller providers by not allowing them the latitude to choose security solutions that might be more appropriate to their size. Similarly, agencies used to a level of autonomy may feel that the standardization imposed by FedRAMP has impeded their ability to make decisions based on their specific security goals.
For more information on FedRAMP, please reach out to NeoSystems at GrowAhead@neosystemscorp.com