What is FedRAMP?

FedRAMP is a U.S. government-wide program that was designed to ensure all federal information systems, aside from national security systems, meet the requirements of the Federal Information Security Management Act (FISMA).

For government agencies and the defense industrial base, FedRAMP Authorized status is important because it ensures the cloud services they use meet stringent security requirements, which is vital when handling sensitive government data. By using a FedRAMP Authorized service, agencies are also in compliance with federal regulations for cloud services.

Cloud services customers, especially those who are government agencies or businesses that handle government data, should care about FedRAMP Authorization for a few reasons:

• It reduces the risk of security breaches by ensuring that cloud service providers adhere to a high level of cybersecurity standards.
• It saves time and resources since the authorization process involves a detailed examination of the provider's security measures, and once a service is authorized, that authorization can be used across government agencies.
• It promotes transparency between the cloud service provider and the customer as the providers are required to continuously monitor and report their security measures.

• Enhanced Security: FedRAMP certified providers have gone through rigorous security assessment, which ensures that they implement strong security measures to protect customer data.
• Compliance: For government agencies and contractors, using a FedRAMP certified provider ensures they remain in compliance with federal regulations.
• Consistent Security Standards: FedRAMP provides consistent security standards for all cloud services, ensuring a uniform level of protection across all platforms.
• Cost and Time Savings: The "do once, use many times" framework reduces duplication of effort and saves time and money for the agencies that need to perform their own security assessments.
• Continuous Monitoring: Providers are required to continuously monitor their security controls and report the results, ensuring ongoing security assurance.
• In short, customers who trust their data to a FedRAMP Authorized system can have greater peace of mind that their data is protected by stringent security measures that meet or exceed federal standards.

• U.S. Federal Government Agencies: All federal agencies are required to use FedRAMP Authorized cloud services for their cloud-based IT deployments at or above the low and moderate risk impact levels. It ensures the security of government data in the cloud and compliance with existing regulations.
• Government Contractors: Companies that have contracts with the federal government, especially those handling sensitive information or operating on behalf of a government agency, often need to use FedRAMP Authorized cloud services. These might include defense contractors, research organizations, or consultancy firms.
• State and Local Governments: Although not formally required to use FedRAMP Authorized services, many state and local government entities choose to do so. FedRAMP can provide an extra level of assurance regarding the security controls of the cloud services these governments use.
• Healthcare Providers: Some healthcare organizations that handle sensitive patient data (which may be subject to federal regulations like HIPAA) may opt to use FedRAMP Authorized cloud services as a part of their overall risk management strategy.
• Educational Institutions: Universities and other educational institutions that receive federal funding, especially for research involving sensitive data, may also need or choose to use FedRAMP Authorized cloud services.

The National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) is a set of guidelines that provide a process that integrates security, privacy, and risk management activities into the system development life cycle.

The RMF, as detailed in NIST Special Publication 800-37, is used by federal agencies in the United States to assess and manage risks, and to certify and accredit IT systems to ensure they meet a sufficient level of cybersecurity readiness before they go live.

The RMF consists of six steps:

• Categorize the system: This involves understanding the system and the information processed, stored, and transmitted by that system. The system is then categorized based on its impact level (low, moderate, or high).
• Select security controls: Based on the categorization, security controls are selected from NIST Special Publication 800-53. This document provides a catalog of security and privacy controls that are implemented to protect the system from threats.
• Implement security controls: The selected security controls are implemented within the system. Detailed documentation is developed that describes how the controls are deployed within the system and its environment of operation.
• Assess the controls: The implemented controls are assessed to determine if they are implemented correctly and are producing the desired outcome with respect to meeting the security requirements for the system.
• Authorize the system: If the system is found to be sufficiently secure during the assessment, an authorizing official will issue an Authorization to Operate (ATO). If not, remediation actions are taken.
• Monitor the controls: Continuous monitoring activities are conducted to track changes to the system, ensure the continued effectiveness of the controls, and maintain the system’s security posture.
• The RMF's ultimate goal is to help organizations understand and manage risks associated with the use of their systems, thereby ensuring the integrity, confidentiality, and availability of their information.

An Interconnection Security Agreement (ISA) is a document that specifies the technical and security requirements for planning, establishing, maintaining, and discontinuing the connection(s) between two or more systems or networks under different operational authorities. It's essentially an agreement between organizations that operate interconnected IT systems about how to secure the data that's being exchanged.

ISAs typically include details such as:

• The Systems Involved: The systems or networks that are being interconnected.
• The Data Being Transferred: What data is being exchanged between the systems.
• Security Procedures: The security controls and procedures that each organization will implement to protect the data.
• Roles and Responsibilities: The roles and responsibilities of each party, including who is responsible for the security of the data while it's being transmitted.
• Incident Handling: How security incidents are reported and handled, and how each party will respond to incidents.
• Termination Procedures: The steps that will be taken to securely terminate the interconnection when it is no longer needed.

An ISA is part of the risk management approach outlined in the NIST Special Publication 800-47, "Security Guide for Interconnecting Information Technology Systems". It's used in conjunction with a Memorandum of Understanding or Agreement (MOU/A), which is a high-level document that specifies the terms and responsibilities of all parties involved in the interconnection.

The FedRAMP process, including the designations and the FIPS data risk categorizations, as well as the Department of Defense (DoD) Impact Levels.

FedRAMP Authorization Process:

• Initiation and Pre-Assessment: A Cloud Service Provider (CSP) expresses their intent to become FedRAMP Authorized and prepares by understanding the requirements and implementing necessary controls
• Readiness Assessment Report (RAR): At this point, the CSP works with a Third Party Assessment Organization (3PAO) to create a Readiness Assessment Report, which details the CSP's readiness to undergo a full security assessment. If the FedRAMP Program Management Office (PMO) reviews and accepts this report, the CSP is granted the FedRAMP Ready status.
• System Security Plan (SSP) Creation: The CSP prepares an SSP, outlining how the security controls required by FedRAMP are implemented in their system.
• Security Assessment Plan (SAP) Creation: The SAP details the planned security control assessment. After this, the 3PAO begins testing based on the SAP.
• Security Assessment Report (SAR) Creation: After the 3PAO conducts security testing, it creates the SAR, which details the results of the security assessment.
• Remediation of Weaknesses: The CSP resolves the weaknesses identified in the SAR.
• FedRAMP In Process: If an agency or the Joint Authorization Board (JAB) accepts the risk presented in the SAR and is actively working with the CSP towards a FedRAMP Authorization, the CSP is granted FedRAMP In Process status.
• Authorization Package Review: The 3PAO reviews the final authorization package, which includes the SSP, SAP, SAR, and a Plan of Action and Milestones (POA&M) that details how the CSP plans to address any remaining weaknesses.
• Provisional Authority to Operate (P-ATO) or Authority to Operate (ATO): If the package is accepted by the JAB or a federal agency, the CSP is granted a P-ATO (from the JAB) or an ATO (from an agency), which marks the CSP as FedRAMP Authorized.
• Continuous Monitoring: The CSP must continually monitor and report on their security controls to maintain their FedRAMP Authorized status.

The Federal Information Processing Standards (FIPS) Publication 199 categorizes information systems based on the risk to organizational operations, organizational assets, and individuals should there be a loss of confidentiality, integrity, or availability.

• Low-Impact: The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
• Moderate-Impact: The loss could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
• High-Impact: The loss could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

FedRAMP authorizes systems at the Low, Moderate, and High impact levels as defined by FIPS 199.

For Department of Defense systems, the Impact Level Authorization goes from IL2 to IL6:

• IL2 allows for non-controlled unclassified information.
• IL4 allows for controlled unclassified information.
• IL5 allows for higher-level controlled unclassified information.
• IL6 allows for classified information up to secret.

These levels reflect the sensitivity of the data that the system will be handling, and higher levels require more stringent security controls. The processes for achieving these authorizations are similar to FedRAMP, but with additional requirements specific to the Department of Defense.