There are several benefits to working with a cloud service offering from a FedRAMP authorized vendor. There are cost savings in shifting to the cloud and a highly visible security process,
and the FedRAMP process makes it possible to evaluate previously vetted offerings, focusing specifically on the needs of the agency rather than government-wide requirements.
Here are some of the factors you should consider when evaluating whether a FedRAMP-authorized cloud service provider (CSP) is a good fit for your agency. Depending on your specific needs, this will allow you to evaluate different cloud service offerings from vendors who have already acquired a P-ATO from the FedRAMP JAB.
Evaluate Security Programs
Perform additional research on the CSP and its security program. You can request these artifacts from the FedRAMP by completing a request form from the FedRAMP website. All the information needed to determine if the offering will fit the needs of your agency will be available on that page. When determining which vendor will best fit the needs of an agency, there is a list of more than 150 CSPs who have already acquired P-ATO letters.
>>> Download the eBook on The Importance of FedRamp for Federal HR Software.
Request Additional Information from the Vendor
After you’ve evaluated the security artifacts on file with the FedRAMP website, you can reach out to the vendor and learn more about the process of purchasing and setting up the necessary accounts. At this stage, you can ask any questions you might have about the capabilities of the CSP to meet your agency’s specific needs, as well as the additional security controls that your agency may require in an agency ATO.
Agency Authorization to Operate Letter
At this stage, agencies are required under FISMA and FedRAMP to review all packages and issue an Authority to Operate (ATO) specific to the cloud service offering being evaluated. An additional assessment by the agency listing controls they are responsible for is needed, in addition to whatever work is done by the vendor. There are frequently additional controls that need to be added to the list to assess from the service provider, such as privacy and program management – some of which are not currently required under FedRAMP controls.
Ongoing and Continuous Monitoring
At this stage, the agency is expected to continue monitoring the service offering and conducting annual assessments of the software. Updates should be made to the ATO letter as required by FISMA when needed to meet the agency’s internal security requirements. The CSP should perform similar evaluations, so that all stakeholders are performing due diligence to ensure the security of the product meets the needs of the agency.
Learn More About FedRAMP and How It Benefits Agencies
You can learn more about the FedRAMP authorization process and how it directly benefits federal agencies by standardizing much of the security assessment process and creating a list of already qualified CSPs and CSOs for you to evaluate. Download our eBook, The Importance of FedRAMP for Federal HR Software to learn more.
