The FedRAMP certification process is a maze of documentation, checks and ongoing monitoring for cloud service providers looking to work with government agencies.
In this episode of Government Enabled with host Gil Tillman, Corey Clements, Director of Federal Programs at SecureIT, an IT security company that is also a certified assessor for the FedRAMP certification program, breaks down exactly what each phase entails — and how you can boost your chances of successfully getting certified.
“There are many things you need to make sure are implemented in the system,” Corey says. “You will need full-time resources, and you will need that FedRAMP expertise to be able to interpret and help devise the different countermeasures and controls you’re implementing in your system to make sure you are FedRAMP compliant.”
FedRAMP, or Federal Risk and Authorization Management Program, is a streamlined, standardized process that prevents cloud systems from having to be assessed by multiple agencies or organizations. The complex process is necessary for cloud security providers if they want to store government data.
“This results in government agencies relying on that single assessment, saving time and money for both the IT provider as well as the federal government,” Corey says.
Corey explains that all government systems or all systems that process or store government data are required to be compliant with FISMA, the Federal Information Security Management Act, and that FISMA then requires the use of the NIST, National Institute of Standards and Technology, framework. FedRAMP then is the program that gets you certified for these compliance requirements once so that all other government agencies can rely on that one time it was done, he says.
Successful FedRAMP certification requires adequate preparation and involves a lot of documentation, Corey says. Management buy-in is also key because obtaining FedRAMP certification is a full-time commitment. One of the ways to help you get through this process is with a Third Party Assessment Organization, or 3PAO, which will advise you every step of the way.
Being FedRAMP certified boosts your opportunities with the federal government but increasingly is also being used by state and local governments, those of other countries and even the commercial sector as a way to find trusted cloud security services, Corey says.
Get early government sponsorship
“Obtain a government sponsor. That’s a key thing to get. You don’t want to go too far down the process and realize you don’t have anybody to sponsor you.”
Choosing your system
“And the next step will be upgrading your existing system or deciding to build a brand new system, or new environment. A lot of the times we see organizations will have their commercial system, but because of FedRAMP requirements, they actually want a separate system for the FedRAMP system.”
Getting 3PAO advisory for pre-assessments
“Something that’s useful is doing a pre-assessment yourself or having your advisor do that pre-assessment. That can help you understand where you would grade from a real assessment. The key thing here is if you do decide to use an advisor, that advisor cannot do your actual full assessment. You’ll need two different organizations to do that. It is recommended to use a 3PAO even to do your advisory because they know what it takes to get through the process, they’ve been through it before.”
The two FEDRAMP authorization paths
“FedRAMP has two authorization paths. One is the organization, the cloud provider, partnering with an agency, and that’s mostly what we’ve been talking about here today. The other thing that can be done is the JAB path, the FedRAMP Joint Authorization Board, a group of three different organizations, Department of Homeland Security, the General Services Administration and the Department of Defense. The Chief Information Officers of those organizations make up the JAB. They have teams supporting that. The JAB also sponsors cloud systems through the process. Because they only have so many resources and so much time, they actually go through a process to decide on a quarterly to six-month basis who gets into their program, so it’s quite competitive to get in.”
The continuous monitoring phase
“Continuous monitoring, or ‘conmon,’ is continually maintaining your system after the approval has been provided. That requires your standard stuff you’re probably doing every day: change management processes, monitoring system activity, following up on anything that needs to be followed up with. Then there’s also periodic processes that you’ll do, annual security awareness training for your employees, testing and exercises of your instant response plan and disaster recovery plan, performing user account re-certifications. Those are the periodic things that you’ll need to continually do. Then there are other periodic procedures needed to be performed that FedRAMP actually requires you to have artifacts for and upload to FedRAMP’s portal…”