Federal Risk and Authorization Management Program
FedRAMP is a government mandated program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services.
The FedRAMP application process is an arduous and painstakingly-detailed authorization that few cloud service providers and data centers can complete. So very few organizations attain FedRAMP authorization due to the bar for security, operating control structure and reporting being set so incredibly high.
FedRAMP status certifies that a cloud service provider meets governmental IT security standards by using a standardized framework for vetting the security of cloud services. FedRAMP has been widely adopted by other government agencies and is now becoming a standard for cloud security in many areas of the public sector. FedRAMP standards are controlled by the National Institute of Standards and Technology (NIST) and save government agencies an estimated 30-40% of government costs, including time and staff.
FedRAMP Continuous Monitoring
The FedRAMP continuous monitoring program is based on the continuous monitoring process described in NIST SP 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organization. The goal is to provide operational visibility, managed change control, and attendance to incident response duties.
The effectiveness of a CSP’s continuous monitoring capability supports ongoing authorization and reauthorization decisions. Security-related information collected during continuous monitoring is used to make updates to the security authorization package. Updated documents provide evidence that FedRAMP baseline security controls continue to safeguard the system as originally planned.
As defined by the National Institute of Standards and Technology (NIST), the process for continuous monitoring includes the following initiatives:
- Define a continuous monitoring strategy based on risk tolerance that maintains clear visibility into assets and awareness of vulnerabilities and utilizes up-to-date threat information.
- Establish measures, metrics, and status monitoring and control assessments frequencies that make known organizational security status and detect changes to information system infrastructure and environments of operation, and status of security control effectiveness in a manner that supports continued operation within acceptable risk tolerances.
- Implement a continuous monitoring program to collect the data required for the defined measures and report on findings; automate the collection, analysis, and reporting of data where possible.
- Analyze the data gathered and Report findings accompanied by recommendations. It may become necessary to collect additional information to clarify or supplement existing monitoring data.
- Respond to assessment findings by making decisions to either mitigate technical, management and operational vulnerabilities; or accept the risk; or transfer it to another authority.
- Review and Update the monitoring program, revising the continuous monitoring strategy and maturing measurement capabilities to increase visibility into assets and awareness of vulnerabilities, further enhance data-driven control of the security of an organization’s information infrastructure, and increase organizational flexibility.
Security control assessments performed periodically validate whether stated security controls are implemented correctly, operating as intended, and meet FedRAMP baseline security controls. Security status reporting provides federal officials with information necessary to make risk-based decisions and assures existing customer agencies regarding the security posture of the system.
An important aspect of a CSP’s continuous monitoring program is to provide evidence that demonstrates the efficacy of its program. CSPs and its independent assessors are required to provide evidentiary information to AOs a minimum of, monthly, annually, every three years, and on an as-needed frequency after authorization is granted. The submission of these deliverables allows AOs to evaluate the risk posture of the CSP’s service offering and providing evidence, such as monthly vulnerability scans of CSPs operating systems/infrastructure, databases, and web applications.
As part of the continuous monitoring process, CSPs are required to have a third party assessment organization perform an annual assessment for a subset of the overall controls implemented on the system.
Systems are dynamic, and FedRAMP anticipates that all systems are in a constant state of change. Configuration management and change control processes help maintain a secure baseline configuration of the CSP’s architecture. Routine day-to-day changes are managed through the CSP’s change management process described in their Configuration Management Plan.
However, before a planned major significant change takes place, CSP’s must perform a Security Impact Analysis to determine if the change will adversely affect the security of the system. The Security Impact Analysis is a standard part of a CSP’s change control process as described in the CSP’s Configuration Management Plan.
CSPs must notify their AO with a minimum of 30 days before implementing any planned major significant changes. The AOs might require more time based on the severity of the change being implemented so CSPs must work closely with the AOs to understand how much time is needed in advance of major changes. CSPs must complete a Significant Change Security Impact Analysis Form and provide to the AO for their analysis. All plans for major significant changes must include the rationale for making the change and a Security Assessment Plan (SAP) for testing the change before and after implementation into the production system.
FedRAMP requires that CSPs demonstrate that they can adequately respond to security incidents. As part of the FedRAMP requirements, CSPs are required to submit and maintain an incident response guide, which is approved by the AO. CSPs are also required to follow the incident response and reporting guidance contained in the FedRAMP Incident Communications Procedure.
Lifeline Data Centers is FedRAMP Ready
FedRAMP Ready status allows Lifeline Data Centers to begin conversations with government agencies and private corporations to host sensitive data, all the way up to Top Secret information. Currently, only six other organizations nationwide have attained the FedRAMP-Ready designation for an IaaS/PaaS to this level of security. Additionally, Lifeline Data Centers is the only cloud and data center provider to carry a FedRAMP authorization in the Midwest and only data center in the country that includes an EMP-shielded data center. Lifeline Data Centers is also the only FedRAMP-ready cloud services provider that controls all layers of the services stack, meaning they own the real estate, the data center facilities, and directly employ the professionals that maintain all of it.
We began this federal authorization effort nearly three years ago. By aligning all business processes and overhauling all technology infrastructure, we have been able to pass rigorous intrusion penetration testing and the exhaustive audit process required by the FedRAMP Project Management Office. Rich Banta, managing member for Lifeline Data Centers
Lifeline Data Centers is now offering corporate clients the same level of security and uptime, and high-end benefits not found with any other data center or cloud service in the country on its RedRack platform.
FedRAMP FAQs - Frequently Asked Questions
“The Federal Risk Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.”
- Certifies that a cloud service provider meets governmental IT security standards.
- Uses a standardized framework for vetting the security of cloud services.
- Also adopted by other government agencies, and useful in other areas of the public sector.
- Standards controlled by the National Institute of Standards and Technology (NIST).
- Saves government agencies an estimated 30-40% of government costs, including time and staff.
For full details about FedRAMP, visit the official website.
Nearly four years have passed since the government introduced FedRAMP, designed to encourage federal agencies to embrace cloud computing to significantly reduce federal IT operating and capital investment costs. FedRAMP was introduced to streamline the process needed to assess the security risks of using cloud-computing systems, and features a common set of security controls and an independent verification system, and allows agencies to use a cloud service that already has been authorized for use by another federal agency. As a result, the agencies do not have to repeat the security authorization process.
Before FedRAMP became mandatory for government data, each federal agency conducted its own risk assessment for the cloud service they procured. This resulted in multiple and redundant security assessments for identical services, and lack of clarity on what constituted acceptable standards. FedRAMP standardized the risk assessment process for every federal agency, and, as such, would make things easier in the long run, even if data centers and providers would have to spend considerable time up front mapping the new security requirements.
To ensure the highest level of compliance and security, government agencies must “use FedRAMP when conducting risk assessments, security authorizations, and granting ATOs for all Executive department or agency use of cloud services” (Office of Management and Budgets Policy Memo on FedRAMP). It’s been the established compliance standard for government cloud contracts moving forward.
Furthermore, FedRAMP is a requirement for most States now, since they receive large grants and huge amounts of government data to process and store. This is also becoming a requirement for major cities within the United States.
There are a variety of benefits to FedRAMP specifically, including:
- Accelerated adoption of cloud solutions through the reuse of security assessments and authorizations across agencies.
- Enhanced transparency between government/private industry and Cloud Service Providers (CSPs) with recognized federal security authorization processes.
- Uniform approach to risk-based management clarifies expectations and saves significant time and resources for all parties involved.
- Automated, continuous monitoring with real-time data and enhanced security visibility.
- Creates trust between federal agencies and CSPs.
The biggest benefit to using FedRAMP-compliant CSPs is rigorous security and uptime engineered into the data center and cloud system, which remains audited against strict standards in near real-time.
Getting approved for the FedRAMP certification is far tougher than most cloud providers anticipated. In fact, few organizations are truly capable of making it through the process. As shared by an article in GCN:
Of more than 80 cloud providers who have applied to go through the FedRAMP certification, more than half are not yet ready to go through the process, according to Kathy Conrad, principal deputy associate administrator with the General Services Administration’s Office of Citizen Services and Innovative Technologies.
Further, Conrad reported that the government intentionally made the program “rigorous and does not plan to make it any easier.”
In other words, any organization that can obtain FedRAMP certification has a pretty shiny competitive advantage over other cloud providers. It’s the federal government’s stamp of approval on security and uptime.
So, which organizations are genuinely capable of making it through the FedRAMP certification process?
One reliable measure is how highly an organization rates against the Capability Maturity Model Integration (CMMI) framework. CMMI is a process improvement program that guides businesses into organizational and operational maturity. It is broken up into five levels:
- Level 1: Initial — At this stage, processes are not defined and are reactive.
- Level 2: Managed — Some processes are defined, but the business is still in a state of reactive mode.
- Level 3: Defined — The business starts to move into a state of proactivity, with clearly defined processes and procedures.
- Level 4: Quantitatively Managed — Not only are the processes well-defined, but they are measured for quality and efficiency.
- Level 5: Optimizing — Mature businesses maintain clear real-time visibility into how their processes are performing and optimize them accordingly.
Lifeline Data Centers has a CMMI of 4+
Our estimation is that companies need to be at Level 4 and well into Level 5 to have a realistic chance of successfully navigating the FedRAMP certification process.
The reality is that FedRAMP will separate the high-level providers from the commodity providers. If you want to compete for any government agency cloud hosting contracts, or secure and compliant private industry business: then the rigorous, costly, and tedious process is mandatory.
Although FedRAMP, which is managed by the General Services Administration, has been increasingly accepted, many criticized the lengthy approval process. In some cases, it has taken more than a year.
Under the new FedRAMP Accelerated program, the approval process will take an average of three to six months.
Federal Computer Week said the new accelerated process will require CSPs that want to work with the Joint Authorization Board for FedRAMP approval to have a third-party assessment organization, or 3PAO, conduct the initial capabilities assessment before diving into detailed documentation.
If the 3PAO gives the cloud service provider a nod of approval, the provider would be considered FedRAMP ready, after the additional approval of the FedRAMP team. According to Goodrich, the designation would be legitimate and would assure agencies that the service was ready for use, Federal Computer Week reported.
While the new changes focus on speed, FedRAMP Director Matt Goodrich said it was never among the goals. "Our primary focus was security, avoiding hacks, avoiding breaches. But as we rethink the FedRAMP process, we know that the process needs to be quicker, but without sacrificing security standards."
Cloud Service Providers (CSPs) that offer cloud services to federal agencies must meet the following requirements, as exactly defined by FedRAMP.gov:
- Directly apply or work with a sponsoring agency to submit an offering for FedRAMP authorization
- Implement the FedRAMP baseline security controls
- Hire an Independent Assessor to perform an independent system assessment
- Create and submit an authorization package
- Provide continuous monitoring reports and updates
To get a better idea of what is required, CSPs should review the following:
- Security Assessment Framework (SAF)
- Guide to Understanding FedRAMP
- FedRAMP’s process areas: Document, Assess, Authorize, and Monitor.
Visit FedRAMP’s official website for full documentation on the requirements.
The State of FedRAMP Compliance
FedRAMP is steadily seeing an increase in adoption, and FedRAMP shared some of its progress in the micrographic to the right. (Click to zoom).
Some of the highlights from the end of last year include:
- 53% increase in agency authorizations
- 25% increase in JAB authorizations
- 340% increase in training enrollees
- 50% increase in FedRAMP compliant cloud services
We plan to be a contributor to these numbers this year, and we believe these numbers indicate how important FedRAMP really is.
For a full rundown of the report, visit the official FedRAMP website.
It's all in the numbers:
FedRAMP-Authorized Cloud Computing is the way of the future for government agencies.
For more information, request a tour of our data center today.