FedRAMP “In Process”: What It Means and How to Get Listed

FedRAMP In Process

FedRAMP, the Federal Risk and Authorization Management Program, is a way for cloud service providers to undergo auditing, scrutiny, and testing to validate their security. This security encompasses primarily information security but also user authorization and authentication, physical security, and more. It’s a way for the government to moderate and oversee the contractors that intend to work with its agencies and maintain consistent high-level security across any surface that handles controlled unclassified information.

It’s incredibly important, in other words.

If you’re a cloud service provider and you want to work with a government agency as a contractor, you have to pursue FedRAMP authorization. Once you achieve it, you can reap the rewards, including specific government contracts and a listing on the FedRAMP Marketplace, which lists all of the cloud service providers authorized to provide services so that government agencies can shop for service providers.

Currently, there are 474 cloud products, 234 agencies, and 42 assessors listed in the marketplace. To add your name to the list, you need to pursue FedRAMP certification and authorization.

The Five Possible Statuses

There are, technically speaking, five possible statuses you can have in the FedRAMP Marketplace. Only three of them are actually listed in the Marketplace, however; the other two have different ramifications.

#1: Not Authorized

This is the default state of a new startup or a cloud service provider that has no intention of pursuing FedRAMP certification or working with the government or its agencies.

Not Authorized Cloud Service Provider

For obvious reasons, CSPs that are not authorized to operate with the government are not listed in the FedRAMP marketplace.

#2: FedRAMP Equivalent

FedRAMP Equivalent is an interesting designation. Until recently, it meant that a cloud service provider self-attested that they essentially met all of the requirements to be FedRAMP authorized, but they didn’t want to go through the lengthy process of auditing and validating to achieve full certification. Government agencies could choose to work with these self-certified CSPs, and the CSP would assume the risk and liability of a breach.

However, in a recent memo from the Department of Defense, the equivalency clause was changed and clarified. Now, the government agency or contractor assumes the risk of ensuring that the CSPs they work with adhere to their FedRAMP equivalent security standards. This has shifted the paradigm and promises many ripple effects throughout the industry, likely making Equivalency less sought-after and less useful to achieve.

FedRAMP Equivalent Cloud Service Provider

This is a complex change, but we’ve been covering it in detail in recent posts. You can read more about it here:

If you have further questions not covered in those posts, feel free to reach out and ask us directly, or ask us in the comments of one of those posts.

It’s worth mentioning here that, while FedRAMP Equivalent cloud service providers may have a security posture that meets or exceeds the baseline minimums required of FedRAMP standards, since they have not sought full authority to operate, they are also not listed in the Marketplace.

#3: FedRAMP Ready

FedRAMP Ready is the third of the five possible statuses you can have as a cloud service provider and the first that can be listed on the Marketplace. What does it mean?

FedRAMP Ready means that the cloud service provider has submitted a Readiness Assessment Report as prepared by a Certified Third Party Assessment Organization, or 3PAO, and that the report has been reviewed and approved by the FedRAMP Program Management Office.

The FedRAMP Ready designation is only available to cloud service providers at the Moderate or High impact level. For more about impact levels, see this guide. Additionally, a CSP is only deemed FedRAMP Ready for one calendar year from the date of the review by the PMO; after which, they will need to resubmit the documentation for another review.

FedRAMP Ready Cloud Service Provider

FedRAMP Ready is a necessary step for a CSP to pursue a Provisional Authority to Operate, which allows them to be listed in the Marketplace and to be available or bid on government contracts. It’s also often considered an intermediary step for CSPs looking for full Authority to Operate with an agency partner.

It’s essentially a designation that says, “We meet general requirements and are willing to work with any government agency or contractor that needs our services,” but does not require an existing agency contract to pursue.

Additionally, FedRAMP Ready is a fallback designation. If a cloud service provider achieves FedRAMP Authorized status and is actively working with a government agency but somehow loses that contract while still maintaining an appropriate security posture, then they will be listed as FedRAMP Ready for the remainder of the calendar year, during which time they can pursue a P-ATO or seek out new agency contracts for new ATOs.

#4: FedRAMP Authorized

FedRAMP Authorized is the fifth of the five statuses. Yes, we have it listed as #4; we’ll get to why in a moment.

FedRAMP Authorized Cloud Service Provider

FedRAMP Authorized is full authorized status and actively working with a government agency with a full Authority to Operate from the Joint Authorization Board. In order to achieve this status, the cloud service provider must go through the full auditing and authorization process, working with both their agency sponsor and the 3PAO they pick, as well as with the JAB itself. This is a strict, detail-oriented review that can take months and can be lost for even small details. It’s extremely important, extremely valuable, and both very time-consuming and very strict.

#5: FedRAMP In Process

The In Process designation for a cloud service provider is among the most interesting and important designations you can have as a CSP. It indicates that the CSP has been chosen as one of the dozen CSPs that the JAB will work with for a given year and is currently undergoing the FedRAMP Connect process wherein they appeal to the JAB for full authority to operate. As the name implies, it’s the designation for being in the process of obtaining Authorized status.

Obtaining FedRAMP Authorized Status

There are many rules and details surrounding this designation, which is why we put it last despite it being a transitional status. Let’s dig deeper into what it means.

FedRAMP In Process is Very Exclusive

First of all, because of the depth and detail of the authorization and auditing process and because the JAB only has so many specialists working for it at any given time, a bare handful of cloud service providers are chosen to pursue full Authority to Operate each year. Specifically, the JAB can choose up to 12 CSPs each year; they can occasionally choose less than twelve if they have reason to do so. That means at any given time, there will be less than a dozen cloud service providers with In Process status listed on the marketplace.

Choosing a Cloud Service Provider

In order to be considered, a CSP must submit a business case that “provides detailed product information and government-wide demand.” If a CSP can’t successfully argue their case, they won’t make it past this point.

What Are the Requirements for Reaching FedRAMP In Process?

There are two different ways that a cloud service provider can be listed as In Process in the FedRAMP Marketplace. The first is when they are seeking a Provisional Authority to Operate from the Joint Authorization Board, and the second is when they have an Agency contract and contract ready to go and are working with that agency specifically.

Working With the JAB for P-ATO

Before a CSP can be listed as In Process, they must accomplish several tasks.

First, they must achieve FedRAMP Ready within 60 days of receiving prioritization from the JAB. Delaying on this front is tantamount to declaring that they aren’t taking it seriously enough to warrant further progress.

Next, they must have a finalized system security plan. The system security plan is a whole process in and of itself, and requires a series of specific documents to be filled out and filed appropriately. A guide can be found on FedRAMP’s site here.

Developing a Security Assessment Plan

The CSP must also engage a certified and recognized Third-Party Assessment Organization – a 3PAO like us – to develop a Security Assessment Plan, conduct a full security assessment according to the security assessment plan, and produce a finalized security assessment report that contains the results of the security assessment. In other words, they must outline their security posture, have that posture audited, and successfully pass that audit.

All documents in the total security package must be uploaded to MAX.gov, the federal document repository. This is for cloud service providers achieving Moderate impact level baselines. For CSPs that are aiming for High baseline security, they will need their own repository for those same documents.

Once all of this has been achieved according to the specified timeline and in conjunction with the 3PAO, a formal Kickoff Meeting will be organized. This meeting will host representatives of the CSP, the JAP, the PMO, and the 3PAO. This meeting is the decision point for either a “go” or a “no-go” decision from the JAB. If all is good to go, this initiates the P-ATO process with the JAB, and the CSP can be listed as In Process (In JAB Review) in the Marketplace.

Working With an Agency for ATO

For cloud service providers that have a contact with a federal agency, that agency can affirm a written Intent to Authorize. This kicks off the process for authorization with that agency. The CSP must obtain written confirmation of the agency’s intent.

Working With an Agency

With the intent in hand, the CSP must also complete a Work Breakdown Structure and send it to the PMO within the timeline requirements as specified in the process. Working with the PMO, the CSP must confirm their systems are fully operational as defined by the PMO. Furthermore, the CSP must complete at least one of the four possible additional requirements. The additional requirements are:

  • The agency provides proof of a contract award for the use of the CSP.
  • The agency and the CSP demonstrate the use of the service offering to the PMO.
  • The CSP is currently listed as FedRAMP Ready in the Marketplace.
  • The CSP has undergone the P-ATO process and completed a Kickoff Meeting.

As long as one of those four is met, and the other requirements described above are met, the CSP can be granted permission to proceed with the ATO process with their agency and can be listed as FedRAMP In Process (With Agency) on the Marketplace.

Finishing the Process

Any cloud service provider that is listed as In Process will only remain In Process for a relatively short amount of time.

Finishing the Process

There are two possible outcomes. They may succeed in the process and be granted a P-ATO or ATO, at which point they will be listed in the marketplace as FedRAMP Authorized. Or, they will fail the process and will be denied FedRAMP authorization to operate, and will be removed from the marketplace until they try again and successfully pass the process.

Achieving FedRAMP Authorization

The full process for achieving FedRAMP authorization is full of bookkeeping and paperwork. One of the most difficult aspects of that process, in fact, is making sure all of the records and data that need to be harvested are kept and collated properly. All too often, CSPs trying to achieve authority to operate are lost in a mire of non-synced documents in siloed software, making it difficult to successfully collaborate with team members internally, not to mention with external groups like the PMO and the 3PAO.

Achieving FedRAMP Authorization With the Ignyte Platform

Fortunately, that’s where we come in. The Ignyte Platform was designed as an alternative to those siloed programs, as a secure, cloud-based recordkeeping hub where all of your compliance data and documents can be listed. While we won’t do the entire process for you, we make it significantly easier to keep track of everything you do.

Furthermore, as a certified and recognized 3PAO, we can work with you to achieve certification, should you so desire.

To use either of our services, feel free to reach out and contact us today. You can request a demo of the Ignyte Platform here, or simply contact us directly.

Stay up to date with everything Ignyte