The maze of the FedRAMP certification program is not simple, but it is a necessary process that cloud security providers must go through if they want to store government data.
Corey Clements is Director of Federal Programs at SecureIT, an IT security company that is also a certified assessor for the FedRAMP certification program.
An IT cybersecurity expert, Corey has worked in the areas of FISMA (Federal Information Security Management Act), NIST (National Institute of Standards and Technology), and FedRAMP, (the Federal Risk Assessment Management Program).
In a conversation for the Government Enabled podcast, Corey described why Cloud Security Providers (CSP) have to enter the world of FISMA, NIST and FedRAMP.
FISMA, first of all, is the law that regulates information security at federal agencies. All government systems that process or store data must be compliant with FISMA. One of the requirements is the use of the NIST framework, which develops a set of guidelines and standards for providing adequate IT security.
FedRAMP then is the mandatory program that certifies the FISMA compliance for commercial providers.
FedRAMP is a streamlined, standardized process that prevents cloud systems from having to be assessed by multiple agencies or organizations.
“This results in the government agencies relying on that single assessment, and it’s saving time and money for both the IT provider as well as the federal government,” Corey says on the podcast.
Being certified boosts your opportunities with the federal government but increasingly is also being used by state and local governments, those of other countries and even the commercial sector for finding cloud security services, he says.
Entering the FedRAMP maze
As a Third Party Assessment Organization, SecureIT assists organizations in preparing their application for FedRAMP. Corey has worked with several organizations to successfully obtain certification and he’s seen a lot of different scenarios along the way.
Successful certification requires adequate preparation and involves a lot of documentation. Management buy-in is also key because obtaining FedRAMP certification is a full-time commitment.
“It is recommended to use a 3PAO — even to do your advisory — just because they know what it takes to get through the process and they’ve been through it before,” Corey says, noting that it’s especially crucial to have expert help during the preparation phase.
“There are many things you need to make sure are implemented in the system. You will need full time resources. And you will need that FedRAMP expertise to be able to interpret and help devise the different countermeasures and controls you’re implementing in your system to make sure you are FedRAMP compliant,” says Corey.
Challenges along the way are inevitable, but there are ways to avoid major mistakes and help the process go as smoothly as possible. In fact, Corey has published an ebook outlining ways to maximize your chances for FedRAMP authorization. In it, he includes several tips, such as:
- “Don’t underestimate the challenge it is to achieve FedRAMP authorization,” Corey says. It’s a unique process with unique requirements that takes time to ensure compliance.
- Get a partnership with a government agency early on. This requires vetting the agency to make sure they know what it will take on their part and are committed to it.
- Listen to the experts. “If you are going to use an advisor and an expert in the FedRAMP area, it would be good to really listen to them and take their guidance,” he says.
Security assessment and the FedRAMP authorization
Once you’ve prepared your application, the next step for FedRAMP certification is the security assessment phase and it is performed by a 3PAO.
“There’s much more rigor in the assessment — meaning they can’t really rely on interviews. They need to interview you, but they also need to prove whatever you’re saying is actually occurring. That’s really where the rigor is there. And FedRAMP has a lot of requirements, so, testing all of those requirements and evidencing the performance of those requirements takes time,” Corey says.
This process will take about three months, he says, and involves three types of testing:
- testing controls and processes;
- vulnerability scanning; and
- penetration testing
Once the FedRAMP package has been completed, the provider moves to the authorization phase.
The authorization phase involves two steps. First, there’s the sponsorship authorization, which can follow two different paths.
- Agency path: A government agency sponsors the CSP for FedRAMP certification. Once certified by the specific agency, however, only that agency may use the system.
- JAB path: The FedRAMP Joint Organization Board (JAB) is made up of Chief Information Officers from the Department of Homeland Security, the General Services Administration and the Department of Defence. This is competitive because JAB selects three or four systems per quarter.
A CSP would choose one authorization strategy over the other depending on their system’s impact level, deployment model, stack, and market demand.
However, after completing either of these paths, the provider is not quite FedRAMP certified yet. The process then moves to the Program Management Office, which delivers their authorization. This can take anywhere from a couple weeks to six months depending on the quality of the package.
“And that’s the gate you need to get through to get on that FedRAMP website. After you’re there, of course that’s when any government agency can come and start using your system.”
FedRAMP is an ongoing journey
After the all clear with authorization, a provider is ready to hit the marketplace. But the process doesn’t end there. It’s important to maintain compliance regularly through standard tests and continuous monitoring, or ConMon as it’s called in the FedRAMP world.
This includes day-to-day procedures as well as periodic monthly and annual ones, such as:
- Everyday change management processes
- Monitoring system activity
- Follow ups
- Periodic tests of instant response plan
- Periodic tests of disaster recovery plan
- Periodic user account recertifications
- Vulnerability scans on the web application, operating systems and databases
- Monthly Plan of action milestone, or the current issues list
- Annual security awareness training for employees
- Annual 3PAO assessment
Corey jokes that the FedRAMP process is kind of like the five stages of grief because of its intricacies and time commitment. But getting through it is worth the benefits.
“Getting to that acceptance stage — getting to that stage as quickly as possible is valuable, of course. It will save you a lot of time and money,” Corey says.
FedHR Navigator
A fully configurable Federal HR solution that meets your agency’s unique Human Resources requirements.
