Cloud Service Provider Requirements for FedRAMP Compliance

By Lindsey Benes, Sera-Brynn Security Analyst

In the realm of securing sensitive data, acronyms abound and FedRAMP is one heard quite often. The Federal Risk and Authorization Management Program, or FedRAMP, was developed to standardize the approach to security assessment, authorization and continuous monitoring for cloud products and services. FedRAMP was developed in collaboration with the National Institute of Standards and Technology (NIST), the General Services Administration (GSA), the Department of Defense (DOD), and the Department of Homeland Security (DHS). As with most frameworks, FedRAMP is still being fine-tuned to provide the most efficient and comprehensive guidelines, while remaining accessible.

As technology continues to grow exponentially each year, the need for virtualization, convenience and central management of data has also increased. As such, many organizations that manage federal data, including Controlled Unclassified Information (CUI), are turning to cloud computing services for these capabilities. FedRAMP compliance is a measure of assurance in the security of an external Cloud Service Provider (CSPs).

Organizations seeking to implement or replace a Cloud Service Provider can find a list of compliant providers at https://marketplace.fedramp.gov/. On this site, users will see CSPs grouped into three categories: Ready, In Process, and Authorized. CSPs that have gone through the rigorous FedRAMP authorization process are considered “Authorized.” An “authorized” CSP has already worked directly with a Federal Agency sponsor and an independent assessor to complete a full security assessment and has been granted an Authority to Operate (ATO). Ongoing, continuous monitoring is paramount to a CSP maintaining compliance and its “authorized” status.

FedRAMP “Ready” systems are not considered FedRAMP “Authorized.” These systems are still in the process of undergoing the authorization process. While their security posture has been reviewed by a Third Party Assessment Organization (3PAO), they still have additional steps to complete for an ATO.

Lastly, cloud services “In Process” are not FedRAMP compliant as they are still working to attain a FedRAMP authorization. As CSPs make changes to their system, they must report any change that is not referenced in their Configuration Management Plan to their Authorizing Official (AO). FedRAMP is mandatory for any CSP seeking to work with federal agencies or for housing sensitive data, such as CUI. It promotes a model of “do once, use many times,” which allows CSPs to complete a FedRAMP authorization once and reuse with numerous Federal Agency customers. It is an efficient approach to ensuring the security and integrity of sensitive data and preventing breaches in the unpredictable and dynamic world of cybersecurity.

Sera-Brynn is a certified third party assessment organization (3PAO) authorized by the U.S. Government to perform FedRAMP assessments on cloud service providers.