WHO NEEDS FedRAMP?
Any CSP that plans on conducting business with a US Government Agency needs to hold a FedRAMP Authority to Operate (ATO). Additionally, FedRAMP certification may boost any client’s confidence in security processes as it demonstrates a continual commitment to upholding the utmost security standards.
FedRAMP certification increases your organization’s security credibility beyond the FedRAMP Marketplace. Organizations can publicize their FedRAMP approval, displaying their due diligence and priority on security standards. When it comes time to closing business deals, holding a FedRAMP certificate may be less significant for some sectors, but for clients in both the public and commercial sectors who grasp the concept of FedRAMP, a lack of authorization could be a deal breaker.
WHAT IS THE PROCESS TO GET AUTHORIZED?
A FedRAMP Authorization can be obtained in two ways:
- 1) As provisional approval through the Joint Authorization Board (JAB) or,
- 2) Sponsored through an agency. At any stage within the Agency Authorization process, agencies may interact directly with a Cloud Service Provider (CSP) for authorization. CSPs who choose to cooperate directly with an agency to get an Authority to Operate (ATO) will collaborate with the agency during the FedRAMP Authorization process. Before an organization receives an ATO, FedRAMP documentation must be submitted utilizing FedRAMP templates. To get the FedRAMP Readiness certification, a CSP must perform a Readiness Assessment with a certified Third-Party Assessment Organization (3PAO). The organization should then ensure that it has a fully developed and working system, as well as a leadership team that is committed to and completely on board with the FedRAMP process, before engaging with FedRAMP during the intake process by completing a CSP Information Form.
FedRAMP identifies three categories of the possible impact on businesses or persons when a security breach occurs, such as a loss of confidentiality, integrity, or availability. Cloud system security measures each of these three categories with minimal, moderate, or maximum potential effect values. The information system is measured based on a high-water mark of the combined rating; however, the majority of FedRAMP authorized systems are rated as “moderate”.
It is important to note that a CSP is not issued as “FedRAMP Ready” until a FedRAMP RAR is approved by the FedRAMP PMO. Once the approval is granted, the CSP will be placed on the FedRAMP marketplace and be deemed as “FedRAMP Ready”.
HOW DOES ELEVATE HELP COMPANIES?
At Elevate, we believe there should be a separation between the readiness team and the auditors to create an unbiased, conflict-of-interest-free environment. Elevate conducts the below services to assist you in your FedRAMP journey:
- Readiness Assessment – Elevate will conduct a readiness assessment and determine if the minimum requirements for a FedRAMP ATO are met. After the assessment is complete, Elevate can work with the 3PAO on your behalf during the preparation of the Readiness Assessment Report (RAR) to include in your FedRAMP submission for a JAB authorization. Topics covered in this assessment are boundary validation, policy, and procedure status, assessment of mandatory technical requirements, change management maturity, vendor dependencies, etc.
A readiness Assessment is only needed for CSPs looking to obtain a JAB P-ATO – for CSPs who are seeking an ATO directly from a federal agency, a Readiness Assessment is not required.
- Advisory Consulting – Elevate will provide expert consulting on your organization’s security control, system architecture, and environment, providing you with updated policies and procedures, System Security Plan (SSP), and other relevant documentation to attain FedRAMP Compliance (e.g. configuration management plan, business continuity plan, hardening standards, etc.).
- Penetration Testing and Continuous Scanning – Elevate can perform Penetration Testing and Continuous Scanning in accordance with FedRAMP guidelines.
- Continuous Monitoring – FedRAMP requires continuous monitoring to take place to maintain system compliance after achieving a FedRAMP ATO – Elevate can conduct continuous monitoring on a monthly, quarterly, and annual basis.
Throughout the above services, Elevate will provide you with the proper documentation necessary for your FedRAMP submission. These items include:
- System Security Plan (SSP)
- Configuration Management Plan (CMP)
- Business Continuity Plan (BCP)
- Cyber Incident Response Plan (CIRP)
- Rules of Behavior (RoB)
- Information System Contingency Plan (ISCP)
- FedRAMP compliant Policies & Procedures (P&P)
- Security Requirements Traceability Matrix (SRTM)
Intensive assessments such as the FedRAMP certification can be an intimidating burden to navigate, especially for those who are not regularly conducting them. To conduct the most cost-effective and time-efficient assessment, it is important to properly prepare.