We previously covered the basics of FedRAMP by simply asking “What is FedRAMP?” This time, we’re going to talk about how to become FedRamp Certified Cloud Service Provider (CSP). We’ll talk about some of the advantages of being FedRAMP authorized. We’ll also discuss FedRAMP compliance versus certification to understand the difference. Additionally, we will define terms you will need to know during your FedRAMP journey.
How to Become FedRamp Certified: What is FedRAMP?
FedRAMP is an acronym for the Federal Risk Authorization Management Program. Essentially, it is the regulatory mechanism introduced by the U.S. Government to reduce cyber risk when using cloud services. FedRAMP allows Cloud Service Providers (CSPs) the ability to market their services to Federal Agencies.
There’s more to FedRAMP than just being a mechanism to enable business, however. It is a means of ensuring cyber security is a continuous process for CSPs. The Department of Homeland Security (DHS), General Services Administration (GSA), FedRAMP Program Office (PMO), and the Department of Defense (DoD), all play a part as stakeholders that set the rules to keep CSP environments compliant and secure.
Step 1: Decide to work with a modern FedRAMP 3PAO
Moving towards FedRAMP should not be a quick decision. This program is a major undertaking by any organization that has a strong desire to work within the government sector. There are two ways to how to become FedRAMP Certified. One path on how to become FedRAMP Certified is via the Joint Accreditation Board (JAB) where a CSP can be granted provisional authorization. The second path on how to become FedRAMP Certified, and the more common approach, is to work directly with a Federal Agency to pursue an Authority to Operate (ATO). If this path is selected, the CSP will work with the Agency throughout the authorization process for their Cloud Service Offering (CS).
Without this authorization, it is nearly impossible to convince the US Government to use your cloud product. Therefore, each entity that has a cloud product and wants to work with the US Government must be FedRAMP authorized. Without this formal approval, your organization will not be able to sell your cloud services to the U.S. Government. Your organization should develop a timeline, budget, expected return on investment (ROI), and level of effort, before deciding to begin the FedRAMP authorization journey.
Step 2: Seek Agency Sponsorship
FedRAMP Compliance is a long process. However, it is first started by gaining an initial sponsorship approval known as an “Agency Sponsorship” from a government agency interested in your cloud product. The initial FedRAMP sponsorship is a critical step in starting the journey. If you are unfamiliar with how to obtain a sponsorship, consider working with an expert that can guide you through this process.
The remainder of your how to become FedRAMP Certified is highly dependent on the type of agency you are working with, your commercial operations, and the level of familiarity you have with the actual audit process. The FedRAMP audit conducted by a qualified 3PAO, and the subsequent review by the Federal Program Management Office (PMO), are the deciding factors as to whether your CSO will be authorized to be used by the U.S. Government.
The FedRAMP PMO and the agency’s security team will often release continuous changes to the standard that the CSP must adhere to. Due to these constant changes in the policies and procedures, your organization should have on staff an expert, or team of experts, to help you navigate through the FedRAMP continuous monitoring process.
Step 3: Initiate Fedramp Readiness Assessment
FedRAMP Compliance is based on NIST Special Publication 800-53 rev 5 along with several supplementary documents that can be directly downloaded from the official FedRAMP website. We recommend that you start reviewing and downloading the documentation directly from the official source. Your organization may currently hold several certifications such as SOC 2, ISO 27001, HITRUST, among others.
All of those certifications lead organizations to a false sense of understanding on what is actually required by the US Government. The FedRAMP security certification process is radically different from any other security certification your organization may have undergone . For your implementation strategy, automation and audit strategy, we recommend engaging prior US Government Information System Security Managers (ISSMs) and experienced professionals to help you navigate the FedRAMP authorization process.