Federal Risk and Authorization Management Program (FedRAMP) - USA

Name of the programme: Federal Risk and Authorization Management Program (FedRAMP)

Governing of the standard: The FedRAMP Joint Authorization Board (JAB)

Accreditation Body/Bodies: A board composed by NIST and the FedRAMP PMO review and approve qualified 3PAOs (Third Party Assessment Organizations), which are the assessors accredit to perform conformity assessment.

 

Scope: Security and privacy

Cloud-relevance: FedRAMP is cloud specific accreditation programme

Type of certifiable organisation: SaaS, PaaS, IaaS

Type of trust models applicable: Third party assessment

Is the certification proprietary or open: Open

Programme, status (operational, in development): Operational

The following text is based on information received by NIST and by the USA General Service Administration (GSA):

FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud-based services. FedRAMP uses a “do once, use many times” framework that intends to saves costs, time, and staff required to conduct redundant agency security assessments and process monitoring reports.
The purpose of FedRAMP is to:

  • Ensure that cloud based services have adequate information security.
  • Eliminate duplication of effort and reduce risk management costs.
  • Enable rapid and cost-effective procurement of information systems/services for Federal agencies.

 

FedRAMP is the result of close collaboration with cybersecurity and cloud experts from GSA, NIST, DHS, DOD, NSA, OMB, the Federal CIO Council  and its working groups, as well as private industry. The FedRAMP assessment process is initiated by agencies or cloud service provider (CSPs) beginning a security authorization using the FedRAMP requirements which are FISMA compliant and based on the NIST 800-53 rev3 and initiating work with the FedRAMP PMO.

CSPs must implement the FedRAMP security requirements on their environment and hire a FedRAMP approved third party assessment organization (3PAO) to perform an independent assessment to audit the cloud system and provide a security assessment package for review.

The FedRAMP Joint Authorization Board (JAB)  will review the security assessment package based on a prioritized approach and may grant a provisional authorization.  Federal agencies can leverage CSP authorization packages for review when granting an agency Authority to Operate (ATO) saving time and money.

FedRAMP uses a security risk model that can be leveraged among agencies based on a consistent security baseline. FedRAMP provides processes, artefacts and a repository that enables agencies to leverage authorizations with:

  • Standardized security requirements and on-going cyber security for selected information system impact levels.
  • Conformity assessment program that identifies qualified independent, third-party assessments of security controls implemented by CSPs.
  • Standardized contract language to help agencies integrate FedRAMP requirements and best practices into acquisitions.
  • Repository of authorization packages for cloud services that can be leveraged government-wide.
  • Standardized On going Assessment and Authorization processes for multi-tenant cloud services.

The FedRAMP security authorization process has four distinct areas:

1. Security Assessment.

A CSP or an agency may request a provisional Authority to Operate (ATO) granted by the JAB under the FedRAMP security assessment process. The process follows the NIST 800-37 risk management framework as tailored for a shared responsibility environment. The CSP identifies the appropriate baseline; implements appropriate security controls, and documents the implementation. The CSP contracts with an accredited Third Party Assessment Organizations (3PAO) to independently verify and validate their security implementations and their security assessment package. The CSP submits the package to FedRAMP for review. Once documentation and test results are completed, the assessment is measured against the FedRAMP requirements and if the JAB is satisfied that the risks are acceptable, a Provisional Authorization is granted. Agencies can then leverage the JAB Provisional Authorization as the baseline for granting their own ATO.

2. Leverage the Authority to Operate (ATO).

The PMO will maintain a repository of FedRAMP Provisional Authorizations and associated security assessment packages for agencies to review. Agencies can use the Provisional Authorizations and security assessment packages as a baseline for granting their own ATO. If necessary, agencies can add additional controls to the baseline to meet their particular security profile.

3. On-going Assessment and Authorization (Continuous Monitoring).

For systems with a Provisional Authorization, FedRAMP, in conjunction with the DHS, conducts on going assessment and authorization (continuous monitoring) activities. On-going assessment and authorization (continuous monitoring) determines if the set of deployed security controls continue to be effective over time.

4.  PAO Accreditation.

CSPs applying for an ATO must use an accredited 3PAO. A review board, with representation from NIST and the FedRAMP PMO, accredits 3PAOs. The approval process requires applicants to demonstrate their technical capabilities and their independence as an assessor. The approval process follows the conformity assessment approach outlined in ISO/IEC 17020. FedRAMP maintains a list of approved 3PAO from which CSPs can choose.