The Heavyweight Rules and Concepts You Need to Know About FedRAMP

businessman with red boxing glovesThe first rule of FedRAMP is …

You do not talk about FedRAMP! (Sorry, that’s of course a quote from Fight Club, a movie about an insomniac office worker looking to shake things up with, well… fighting.) The real first rule about FedRAMP is that companies should attain the certification to show that their cloud service products and services are secure enough for US government data.

To help explain the FedRAMP program and how it interplays with FISMA, RMF, NIST 800-53, and other key words, this post will list the key events and laws in the FedRAMP universe.

But first, who should care about this FedRAMP article and why?

CSPs – Cloud Service Providers have the biggest stake here. If they want to build a trusted and compliant cloud solution to sell to government agencies, understanding FedRAMP is a must.

3PAOs – Third Party Assessment Organizations (like us) must follow complex FedRAMP rules, templates, and standard-reporting tools to assess and validate CSPs. 3PAOs should understand the history of the program, as well as how emerging regulations impact its implementation.  Overlapping compliance mandates cause real world problems.

Government contractors and employees working with FedRAMP-authorized products and services. Get smart(er). Why not?

Other organizations – FedRAMP is essentially a risk management tool and security framework. If your organization is implementing or considering NIST 800-171, NIST 800-53, ISO 27001, or any other cybersecurity framework, then general knowledge of the FedRAMP levels and security controls is beneficial.

Legal Timeline and Sequence of Events

Year-by-year for the chronologically-oriented:

1)Before FedRAMP, there was FISMA. FISMA, or the Federal Information Security Management Act, was passed in 2002, before clouds were really “a thing.” FISMA 2002 defined the IT security requirements for federal agencies. FISMA stated that each federal agency must develop, document, and implement an agency-wide program to provide information security to protect their data and systems.

2)NIST enters the ring. Under FISMA 2002, NIST, or the National Institute of Standards and Technology, was required to produce several key security standards (for agencies) to support and implement FISMA. The project was called The FISMA Implementation Project. NIST subsequently created: FIPS 199, FIPS 200, and NIST Special Publications (SP) 800-53, 800-59, 800-60. Then NIST began developing NIST SP 800-37, 800-39, 800-171, 800-53A and NIST Interagency Report 8011.

3)NIST published NIST SP 800-37 revision 1 – the guidelines for applying the Risk Management Framework (RMF) to federal information systems. The six-step RMF includes security categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring.

4)FedRAMP, or the Federal Risk and Authorization Management Program, was introduced. The program created a process for agency and private sector CSPs to attain certification, so they can store government data. From the federal government’s perspective, it’s a risk management tool. FedRAMP mirrors FISMA in that the risk levels and corresponding security controls are based on NIST 800-53. But where FISMA was written for only federal agencies, FedRAMP was written for the private sector too.

5)FISMA 2002 was amended. The new Federal Information Security Modernization Act of 2014 (FISMA 2014) updated the informational security requirements for federal agencies. It also clarified and codified the roles of the Department of Homeland Security (DHS), OMB, and Director of National Intelligence (DNI).

6)8NIST 800-53 revision 4 was released.

7)GSA adds Cloud Special Item Number (SIN) 132-40 to IT Schedule 70. There are several sub-categories: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS).

8)NIST released its proposed revision #5 to SP 800-53. This revised guidance will still only apply to federal systems, but it’s intended to be more accessible to non-federal and private sector organizations that want to implement in.

9)FedRAMP announced it achieved the milestone of 100 Cloud Service Provider (CSP) authorizations. There are some big names on this list – AWS, SalesForce, Adobe – as well as a range of newer cloud solutions.

Today.  As of now, the government has 5 of their own FedRAMP-authorized clouds. This means clouds that are owned and controlled by the government and used by one or multiple agencies. Sera-Brynn is the 3PAO for 2 of the 5 authorized clouds and aspires to assess more.

The Future.  The FedRAMP Project Management Office (PMO) states it will have periodic updates to documents available for public comment with advanced notice. To learn more, visit www.fedramp.gov.

Bonus Facts

Like all other U.S.-based cybersecurity mandates, nothing can be looked at in a vacuum. Here is a list of some other laws and guidelines FedRAMP states is has considered:

  • binders with regulations and guidelinesComputer Fraud and Abuse Act [PL 99-474, 18 USC 1030]
  • E-Authentication Guidance for Federal Agencies [OMB M-04-04]
  • Federal Information Security Management Act (FISMA) of 2002 [Title III, PL 107-347]
  • Freedom of Information Act as Amended in 2002 [PL 104-232, 5 USC 552]
  • Guidance on Inter-Agency Sharing of Personal Data – Protecting Personal Privacy [OMB M-01-05]
  • Homeland Security Presidential Directive-7, Critical Infrastructure Identification, Prioritization, and Protection [HSPD-7]
  • Internal Control Systems [OMB Circular A-123]
  • Management of Federal Information Resources [OMB Circular A-130]
  • Management’s Responsibility for Internal Control [OMB Circular A-123, Revised 12/21/2004]
  • Privacy Act of 1974 as amended [5 USC 552a]
  • Protection of Sensitive Agency Information [OMB M-06-16]
  • Records Management by Federal Agencies [44 USC 31]
  • Responsibilities for the Maintenance of Records About Individuals by Federal Agencies [OMB Circular A-108, as amended]
  • Security of Federal Automated Information Systems [OMB Circular A-130, Appendix III]

Irrelevant Bonus Fact

2019 marks the 20-year anniversary of Fight Club, the movie. Absolutely nothing to do with FedRAMP, but if you have read this far already, you may as well know.

For More Information

For learn how Sera-Brynn can help with your FedRAMP goals, email fedramp@sera-brynn.com and we can schedule a conversation.