make a good business better

Blog Information Security

Print Divider Print Divider Branding

Complex FedRAMP Process Requires Meticulous Approach

08/05/2015  |  By: Sese Bennett, CISSP, CISM, QSA, ITIL, HITRUST CSF, Senior Manager, Information Security


Social Logo Social Logo Social Logo Social Logo

As of June 2014, a Federal Risk and Authorization Management Program (FedRAMP) authorization is required for all cloud service providers (CSPs) selling cloud services to federal agencies or state or local governments.

Preparing for the FedRAMP readiness assessment is a highly detailed process. On average, most organizations pursuing a FedRAMP Authority to Operate (ATO) will need six to 12 months to prepare. The FedRAMP-provided templates alone are over 400 pages long, and FedRAMP applications typically encompass 600 to 1,000 pages of security-related documentation.

In an effort to fast track their FedRAMP ATO, some CSPs jump into assessments without adequate preparation. But rushing to complete System Security Plans (SSPs), policies and procedures, and submitting them without the level of detail the FedRAMP PMO is looking for is a shortsighted approach. Poor preparation can result in rejection of a company’s FedRAMP application, which translates to wasted time and resources and a prolonged approval process. In the end, a longer path to authorization means more time waiting to begin work on any successful government bids.

Given the time and investment required to prepare for FedRAMP certification, there is great value in meticulous preparation. Use these three strategies to help ensure you are well prepared:

1. Be clear, concise, consistent and complete! 

This advice should guide you throughout the process — particularly when it comes to the system security plan. A robust and well-documented security program is critical to passing the security assessment. Err on the side of exhaustive detail, and make sure you use consistent language throughout the FedRAMP documentation.

For example, when preparing your security plan, the level of detail you should cover includes:

Confirm the characteristics of your systems. Thoroughly inventory, document and baseline your entire cloud environment and all of its system boundaries. A CSP should incorporate NIST 800-145 guidance and validate how their cloud solution maps to the NIST definition of cloud computing.

Clearly define and describe system boundaries. Create a diagram and description of the major components of your system as well as any connected third party systems. When determining a system boundary, confirm the identity of what hosts and assets are part of your environment’s common controls and  which are specific to your cloud solution. Clearly defining your information system and treating the cloud solutions as a sub-system of your environment provides a targeted and cost-effective approach to an effective risk management process.

Clearly delineate connections to the customer environment and shared responsibilities. Identify customer responsibilities as well as what your company and the agency must do to implement controls. Depending on the type of cloud service you provide (IaaS, PaaS, or SaaS), there will be differing levels of responsibility. Gather supporting documentation that clearly identifies and delineates your shared responsibility model.

Be comprehensive and consistent in your documentation. Incomplete information in any of these key areas greatly increases the chances that your FedRAMP package will be kicked back for re-work.

2. Proper preparation prevents poor performance. 

To be properly prepared, CSPs doing business with federal agencies should review the Security Assessment Framework (SAF) and Guide to Understanding FedRAMPThey should also become familiar with FedRAMP’s four process areas:

  • Document
  • Assess
  • Authorize
  • Continuous Monitoring

3. Enlist the services of a strong third party assessment organization (3PAO).

A 3PAO can help you in a variety of ways — from evaluating your readiness for FedRAMP and helping your organization create your system security plan — to ensuring your application is detailed, comprehensive and consistent. The right 3PAO partner also acts as a FedRAMP interpreter.  They will guide you through proper preparation and documentation, decipher what the requirements mean for you, and provide guidance on what the FedRAMP Readiness and Development Team expects. Given that, many organizations consider the upfront investment to enlist a 3PAO worthwhile in order to anticipate any glitches and smooth the path to receiving a FedRAMP Authorization to Operate (ATO) more quickly

These three strategies should help you navigate the challenging road to a FedRAMP ATO more easily. A well-prepared CSP who employs a meticulous approach during the FedRAMP application process can look forward to a smoother road to FedRAMP authorization and ultimately enjoying the financial upside a FedRAMP certification brings.

To learn more about FedRAMP Certification, download a free copy of our upcoming guide below, Grow Your Business With FedRAMP Certification. On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter at @lbmcsecurity.


Posted in: FedRAMP