The Federal Risk and Authorization Management Program (FedRAMP) is a comprehensive framework that defines the security requirements private companies are obligated to follow in order to provide cloud products and services to government agencies in North America. The framework defines requirements for nearly all aspects of the business, from application and system development to people management to data and network security.
Implementing a FedRAMP system and obtaining a Moderate or High Impact Authority to Operate (ATO) takes most organizations between 12 and 18 months. Your organization will need this time to draft requirements, design and architect the system, implement and document technical controls and processes, train staff, and perform the Third-Party Assessment Organization (3PAO) assessment of the system.
Given the comprehensive nature of the framework, it is important that your organization takes the necessary steps to prepare for a project of this size, mainly to ensure implementation of your FedRAMP program meets cost, budget, and U.S. Government customer requirements.
We share our thoughts below on the five steps your organization should take in order to ensure successful implementation of your FedRAMP program.
1. Ensure appropriate support is in place
While the return on investment for companies who invest in FedRAMP is undeniable, securing an initial FedRAMP Authorization to Operate (ATO) is an expensive undertaking that will require significant up-front resources, including funding, system and process changes, and staff modifications. Support and active involvement from senior management will be required to ensure these large scale changes can be effectively implemented in a timely and efficient manner.
It is critical for the organization to establish a project team consisting of representatives from the different business units that will impact the system as well as its supporting processes and resources, including:
- System/Software Engineering
- System Security Engineering
- Corporate IT for corporate services that may be included within the authorization boundary
- Customer Service Specialists
- Human Resources
- Third-party Managed Service Providers
The project manager should be experienced and capable of effectively holding responsible parties accountable for enacting FedRAMP required initiatives and changes to ensure that the project meets all scheduling, budget, and FedRAMP ATO requirements.
Due to the cross-functional nature of a FedRAMP project, the absence of a project manager that is capable of tracking project work streams and their dependencies can result in specific work streams languishing, delaying completion of the overall project.
2. Understand the basics of FedRAMP
All stakeholders should ensure they have a strong understanding of the basic principles and controls that make up your organization’s FedRAMP program requirements. FedRAMP requires your organization to not only implement controls that meet the program’s requirements, but to monitor the effectiveness of those controls on a continual basis.
Prior to beginning your FedRAMP journey, it is recommended that all stakeholders participate in the free FedRAMP training for Cloud Service Providers (CSPs) offered by the FedRAMP Project Management Organization (PMO). Participating in the basic FedRAMP training will ensure that everyone is aligned on the government’s expectations and how their individual business units will fit into the overall program.
3. Understand your organization’s internal processes
FedRAMP’s requirements expand outside of the realm of IT, impacting both the business and operations teams such as HR. While you may have a strong understanding of the processes your specific business unit is responsible for, how those processes fit into larger business workflows may not be as clear.
For example, before HR typically performs background checks prior to IT provisioning a new employee’s access to the corporate environment. Often times, no one individual is aware of the detailed steps IT and HR take to execute each phase of the process, which may result in a failure to identify gaps or dependencies within the business process.
For this reason, it is critical to identify and include all of the appropriate representatives from each business unit during key processes. Understanding the detailed steps of each business process from end to end will allow your organization to realize the following desired outcomes:
- Facilitate greater integration of cross functional teams;
- Identify dependencies between existing processes and opportunities for process enhancement;
- Quantify, qualify and understand gaps between existing processes and FedRAMP requirements; and
- Better align the organizational culture and norms with FedRAMP system authorization requirements
4. Build a relationship with your Sponsoring Agency
In order to offer your cloud service or product to a government agency, your organization must either:
- Follow the process to obtain a FedRAMP Provisional Authorization to Operate (P-ATO), which has more stringent requirements, but will allow your company to sell your cloud offering to multiple agencies
- Partner with a specific agency in order to obtain a FedRAMP Authorization to Operate (ATO).
The majority of organizations will opt to first obtain an ATO and then later obtain a P-ATO. When obtaining an ATO, it is important that your organization establish a relationship with the individuals who work at your sponsoring agency.
FedRAMP differs from other frameworks in that there are requirements that are deemed “Organization-defined,” meaning the government agency defines the requirements that your organization must follow. For example, Control IA-5 (1) requires the organization “enforce a minimum password complexity of [Assignment: organization-defined requirements…],” meaning the agency that you partner with will inform your organization what the minimum password requirements are. To increase the agency’s willingness to work with you, establish a relationship with the agency’s stakeholders and demonstrate your commitment to securing the data processed by your cloud offering.
The same relationship building is valuable in the case of a P-ATO. Instead of working directly with an agency, your organization will work with the Joint Authorization Board (JAB) in order to determine the organization-defined requirements. This is especially important because the government agency or JAB must provide the final approval and sign off in order to grant your system an ATO.
5. Partner with an expert
The cost and complexity associated with implementing a FedRAMP program makes it a difficult DIY for most companies. It is important that your organization implements the FedRAMP controls appropriately the first time to avoid costly changes and delays in achieving authorization.
Any organization pursuing a FedRAMP Authorization should partner with a certified Third-Party Assessment Organization (3PAO) as an advisor. A 3PAO is an organization that is certified to perform FedRAMP assessments and has met the rigorous requirements set by A2LA, ISO/IEC 17020, and the FedRAMP Program Management Office (PMO). In addition, all 3PAO assessors are required to demonstrate their knowledge of FedRAMP by successfully completing the government’s Cyber Range Assessment.
Several of FedRAMP’s requirements can be fairly vague along with being risk-based; often times, there is not a clear outcome on whether or not you have met a particular control.
Partnering with a 3PAO can:
- Help you determine if the control is met based on the associated risk and control context
- Ensure that the appropriate architectural, process, and staffing changes are identified and implemented
- Minimize cost and project duration
- Certify that requirements are met and that the system is appropriately secured
The FedRAMP authorization process is a long and complex continuing journey, but obtaining a FedRAMP ATO is critical for companies that want to provide any sort of cloud-based product or service to federal agencies. Working with a FedRAMP 3PAO as your advisor can help you simplify and streamline the process to achieve authorization.