FedRAMP: FAQs to Understand the Authorization Process

Cloud-based services deliver a variety of on-demand services—applications, development platforms, servers, data storage, and more—to customers over the internet. When the customer is a federal agency, security is essential for the cloud service and the data that’s used and stored.

The government requires cloud service providers (CSPs) used by federal agencies to undergo an authorization process known as FedRAMP.

Following are some commonly asked questions about the program.

What Is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program defining standardized security assessment, authorization, and monitoring processes that allow CSPs to be used by all federal agencies.

What Are the Benefits of FedRAMP for Your Business?

FedRAMP uses an audit-once, use-many-times methodology.

The streamlined approach allows agencies to save time, money, and effort when using cloud services while also protecting federal information.

What Are the FedRAMP Control Requirements?

FedRAMP control requirements derive from the National Institute of Standards and Technology (NIST) Special Publication 800-53 revision 4. The controls are selected based on the risk impact level of the system.

While CSPs can identify the risk level of their system, it’s best to work with your agency customers to identify their specific use case to finalize the system impact level.

Table with the explanations for the Low Impact, Moderate Impact and High Impact risk level as well as what the required control number is for each impact.

How Can You Achieve FedRAMP Certification?

CSPs receive FedRAMP authorization. At the end of the process, a federal agency authorizes the system for use within their agency with an Authority to Operate (ATO) letter.

There are four main phases to become FedRAMP authorized.

1. Control Implementation and Documentation

CSPs need to understand which controls to implement, and then document details around how you implemented those controls in your System Security Plan (SSP).

Many CSPs seek outside help to complete the SSP, either entirely outsourcing the work or hiring consultants for guidance.

CSPs need to work with the Authorizing Official (AO) with their federal clients to determine which control baseline to follow.

2. 3PAO Assessment

Once controls are implemented within the environment and the SSP is complete, CSPs will hire a Third-Party Assessor Organization (3PAO) to complete the assessment.

The assessment has two main phases—control testing and penetration testing.

Control Testing

During control testing, the 3PAO will review the SSP, policies, and procedures, and evaluate the function of corporate processes and system configurations to confirm they follow FedRAMP requirements.

Once the assessment begins, the CSP is listed on the FedRAMP Marketplace as “FedRAMP In-Process.”

Penetration Testing

During the penetration test, the 3PAO penetration tester will test the external and internal system components to identify system vulnerabilities.

3. Document Evaluation by CSP Agency Customer

When the 3PAO assessment is complete, the entire document package is sent to the CSP agency customer to evaluate.

Once satisfied, the agency customer can issue their ATO.

4. PMO Review

When the agency ATO is ready, the FedRAMP Program Management Office (PMO) will review the document package to ensure consistency across other FedRAMP submissions.

Once the FedRAMP PMO review is complete and all their questions answered, the CSP is listed on the FedRAMP Marketplace as “FedRAMP Authorized.”

How Can You Stay in Compliance with FedRAMP?

CSPs are complete once the ATO is issued. Continuous monitoring is a key component to maintaining FedRAMP authorization.

CSPs must continuously:

  • Monitor their environment for vulnerabilities
  • Report the status of previous audit findings and vulnerabilities each month
  • Report new vulnerabilities that aren’t fixed on time
  • Have their 3PAO reassess the environment each year

For How Long Is FedRAMP Authorization Good?

Each federal customer will issue their own ATO based on the document package, and each agency can decide the duration of their ATO validation.

CSPs should meet with their agency customers each month to communicate the status of current and past vulnerabilities, but also their standing with those customers.

Do You Need a Sponsor for FedRAMP?

There are two main paths to FedRAMP Authorization. Most CSPs work directly with a federal agency to get through the FedRAMP program.

In some cases, CSPs can work with the FedRAMP Joint Authorization Board (JAB) to get a Provisional Authority to Operate (P-ATO). The JAB is comprised of representatives from the General Services Agency (GSA), Department of Homeland Security (DHS), and the Department of Defense (DoD).

CSPs working towards FedRAMP but not yet ready for a full assessment can complete a Readiness Assessment Report (RAR) to get listed on the FedRAMP Marketplace as “FedRAMP Ready.”

The RAR is a 3PAO assessment but focuses on a consolidated set of controls from the relevant baseline. “FedRAMP Ready” doesn’t mean the system is fully authorized for use within the government but confirms implementation and assessment of key security controls.

In either case, a US federal government security personnel must review both the CSPs document package and the results from the 3PAO assessment to issue an ATO.

We’re Here to Help

To learn more about receiving FedRAMP authorization, contact your Moss Adams professional or visit our FedRAMP Compliance Services.

Contact Us with Questions

Enter security code:
 Security code