make a good business better

Blog Information Security

Print Divider Print Divider Branding

Guidance on Achieving FedRAMP Certification

10/07/2015  |  By: Sese Bennett, CISSP, CISM, QSA, ITIL, HITRUST CSF, Senior Manager, Information Security


Social Logo Social Logo Social Logo Social Logo

FedRAMP certification is a collective effort, which is why you need to become familiar with the players involved, and their respective roles. While you have some flexibility as to how and when you use 3PAOs, there are restrictions which dictate how the key players can participate in the FedRAMP assessment and certification process.

Specifically, if you partner with a 3PAO, you can’t use the same company for both the readiness work and the audit. And if you use one organization for the readiness work, you must find another qualified 3PAO to perform the assessment or audit. 

Paths to Certification

Option 1 is where companies opt to do the prep work themselves and then use one 3PAO for either the readiness assessment or the audit. This applies to CSPs who may or may not have an agency sponsor and who have decided to submit their own package.

This choice can lead to a longer process depending on the availability of dedicated resources and how well they are able to interpret FedRAMP requirements. It can also prove challenging to independently navigate the process and overcome any hurdles that may be encountered.

Option 2 is the most common — companies use one 3PAO for readiness work and another for the assessment or audit.

Authorization Timelines Explained

To receive FedRAMP certification, CSPs must complete a FedRAMP Initiation Request and follow one of three paths for achieving an authorization:

  • JAB Provisional Authorization (P-ATO)
  • Agency Authorization
  • CSP Supplied Package

The first route is to gain a provisional ATO from the JAB, which requires a FedRAMP accredited 3PAO. Taking this path ensures a rigorous technical review by the FedRAMP Project Management Office (PMO), assessment from a FedRAMP- accredited 3PAO, and ends in a P-ATO from the DHS, DoD, and GSA CIOs.

CSPs that have an agency sponsor or are agency authorized, can seek an ATO independently. They hire a FedRAMP- accredited 3PAO to complete and submit the required documentation, testing and security assessments to the GSA’s office for verification.

Last, companies can supply and submit their own package for review directly to FedRAMP. This CSP supplied package is assessed by a FedRAMP certified 3PAO and is then put into a queue for final review — this final step is called a “package in waiting”.

The timeline to actual certification will depend on which authorization path you have chosen. Figure 3 provides some estimated timelines for the certification paths.

Figure 1: Estimated Authorization Timeline

Detailed Documentation

It all boils down to details, particularly in the documentation process. Resolve to produce the most comprehensive documentation of every facet related to your system’s security — including polices, procedures, manuals, incident response plans, and system security plans. It’s a vital part of a successful FedRAMP assessment. Without strong documentation, you simply won’t move through the process in a timely and smooth manner.

Use Available Checklist Resources

We recommend you take advantage of available pre-FedRAMP checklists before you initiate the certification process. These will help keep you focused so you can progress in a logical, efficient manner — and will streamline the path to certification.

CSP Pre-FedRAMP Certification Checklist

  1. Develop sound processes for handling electronic discovery and litigation 
support requests 

  2. Clearly define and describe the system boundaries 

  3. Identify customer responsibilities and what the CSP and agency must do to implement controls 

  4. Validate system provides identification & 2-factor authentication for network access to privileged accounts 

  5. Validate system provides identification & 2-factor authentication for network access to non-privileged accounts
  6. Validate system provides identification & 2-factor authentication for local access to privileged accounts
  7. Perform code analysis scans for code written in-house (non-COTS products)
  8. Confirm appropriate boundary protections 

  9. Remediate high risk issues within 30 days, medium risk within 90 days 

Looking to the Future

Although FedRAMP certification can be a very involved, lengthy process, it’s a net positive — leading to shared assurances, fewer assessments, better cloud security and greater overall efficiencies.

FedRAMP continues to explore new ways to tweak the process. As it evolves, it will likely become more scalable too, particularly for smaller CSPs. As new ways are identified for small to medium businesses to undertake this process economically (and in a shorter time period with a simpler process), we will see more companies receive certifications — which will be a win-win for everyone.

We strongly encourage any entity that provides cloud services to attain certification. Compliance enforcement is on the horizon. It is only a matter of time.

Start compiling your documentation today, including your governance models, remediation plans, and all security training programs, polices and procedures. Accurate, thorough documentation is essential to FedRAMP certification. Give yourself plenty of time to gather (or develop it) so you can move through the assessment process as quickly as possible.

In the meantime, agencies and CSPs should recognize that FedRAMP is not a silver bullet, but evolving, so adopting these regulations and striving for greater collaboration between CSPs, 3PAOs and the agencies they serve benefits the community at large.

Companies will also need to dedicate time to fully understanding the FedRAMP process and how the steps relate to the larger certification goal. The rigor of the requirements is designed to improve and enforce greater security in the cloud for all federal data. The speed that a company can move through the process is directly related to how robust their security protocols are when they initiate FedRAMP certification.

To learn more about FedRAMP Certification, download a free copy of our upcoming guide below, Grow Your Business With FedRAMP Certification. On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter at @lbmcsecurity.


Posted in: FedRAMP