Navigating Authority to Operate: FISMA or FedRAMP?
Decades ago, the government stood on its own. While it would often contract out with individuals and companies for services, there was always a barrier between third-party operations and government operations to prevent intrusion, infiltration, or compromise.
Over the years, though, society has grown more and more complex. The advent of computerized systems, networks, and the internet has meant that an immense amount of complexity – that formerly was handled by paperwork and people – now needs to exist. The modern government simply couldn’t exist without computers and the networks that allow them to communicate.
With any increase in complexity, especially complexity that comes with a vast exposed surface for threats and malicious actors to assault, comes an added need for security. This leaves the government with a choice. Do they try to stand on their own, developing proprietary systems disconnected from those used by the average citizen? Or do they prioritize interconnectivity and functionality over isolation?
While some governments around the world have opted to develop their own systems from the ground up, including proprietary operating systems, most global governments, including the United States government, have opted to use off-the-shelf products. These include everything from operating systems like Unix, Linux, and Windows to standardized programs like Microsoft Office and a wide range of cloud-based applications.
While putting control over a government system in the hands of a third party may seem like a compromise waiting to happen, it has a number of significant benefits for the government.
- A cloud system has one central point of authority. You don’t end up with different organizations and agencies in the government running different, outdated versions of the same software.
- Federal regulations, auditing, and compliance rules can govern how to secure and maintain security for that cloud system without the government having to do the actual work.
- If a new threat vector or concern arises, the government needs only to change its security controls and enforce compliance rather than overhaul entire systems.
- It generally offloads a significant amount of expense to external businesses rather than using taxpayer money to do everything internally.
A potential downside to this method of handling infrastructure throughout the government is the need to develop standards, develop frameworks for applying those standards, and handle auditing to ensure compliance with those standards.
This is handled by a system of categorization through frameworks, a centralized resource of security standards and controls, and a network of further third-party businesses authorized to audit other businesses looking to work with the government.
All in all, it’s a robust and effective system, and while no system is perfect, it’s an efficient and effective way of handling the needs of the government in the modern technological age.
BLUF - Bottom Line Up Front
BLUF - Bottom Line Up FrontAuthority to Operate (ATO) allows cloud service providers to work with government agencies by meeting set security standards. FISMA applies broadly to contractors and involves using NIST SP 800-53 controls. FedRAMP streamlines ATO for cloud services, enabling them to work with multiple agencies. FedRAMP requires a more rigorous security process. Other frameworks like HIPAA and DFARS exist for specific needs. Choosing the right framework depends on services, data handled, and target agencies.
What a Cloud Business Needs to Know
Understanding where the government is coming from can be foundational to understanding why seemingly arcane sets of standards and rules exist.
As a cloud service provider or CSP, you have decisions to make. One of those decisions is what framework you need to comply with in order to achieve the authority to operate with the federal government and its agencies. So, let’s talk about it.
An ATO, or Authority to Operate, is essentially permission from the government to operate as a third-party contractor working with a particular agency or department. If a government agency wants to use Google Workspace, Dropbox, or Microsoft Office 365, Google, Dropbox, and Microsoft would need to meet and achieve the security standards required of them according to the information they would be handling.
Rarely, though, does the government reach out and ask for a specific agency to comply with security standards. Instead, a government agency will have a contract open for bidding, and different service providers will apply. Those service providers need to either have an ATO or be prepared to work to get one in short order.
For a cloud service provider to achieve an ATO, there’s a whole process to go through. We outline this process in greater detail here. In short:
- The CSP must choose an agency and contract they want to work with.
- The CSP must classify their systems under established risk levels.
- The CSP must evaluate its systems and determine which security controls apply to those systems.
- The CSP must implement the security controls determined to be relevant and applicable.
- The CSP must assess and evaluate the efficacy of the security controls as implemented.
- The CSP must work with a third-party auditing organization to certify compliance.
- The CSP must establish continuous monitoring of its systems to maintain compliance over time.
Once all of this has been achieved, the cloud service provider can receive the authority to operate with that government agency and contract, and can begin working with the government.
What is NIST?
NIST is the National Institute of Standards and Technology, which is the governing body that establishes the security controls that apply to any third-party business or cloud service provider looking to work with the government. They do much more than that, of course, but for the purposes of today’s discussion, that’s their primary role.
The primary relevant document for most cloud service providers is NIST SP 800-53, which is the full outline of all the security controls and what levels and standards they must achieve. It’s a huge spreadsheet of information with several appendixes, and it’s the core document that any CSP will need to review.
What is FISMA?
FISMA is two things. First, it’s the Federal Information Security Management Act. It’s regulation that applies to all federal agencies and those that work with federal agencies, including state-level agencies that work with federal systems (like State Medicare Management Agencies) and private sector businesses. This includes private sector businesses that work as service providers and contractors for the government, as well as any that receive federal grant money, such as educational institutions.
Second, FISMA is the framework that utilizes NIST SP 800-53 as the set of baseline standards and the ATO process to authorize those CSPs to work with the government.
FISMA doesn’t apply just to cloud service providers. It applies to pretty much every contractor, service provider, and business working with the government, receiving government funds, or otherwise handling government information. It’s the broadest framework, applying to the greatest number of entities.
What is FedRAMP?
FedRAMP was designed in response to two pressures.
The first was the evolution of the cloud in software and service technology. In the past, if you needed a large amount of network-accessible storage for an agency, the agency would need to set up a server farm, secure it on its own, and use it as its own storage. Now, it’s as easy as purchasing a contract with any of the many cloud-based storage solutions, like Google Drive, Microsoft OneDrive, Dropbox, Box, or others. Cloud services are extremely convenient for many of the reasons outlined earlier in this post.
The second is the ATO process. With FISMA, the ATO is a one-to-one process. If a business wants to obtain an ATO to work with the Department of Agriculture, they could; if they then wanted to work with the Environmental Protection Agency, they could, but they would need to go through the full ATO process again and achieve another ATO to work with that agency as well. Given the sheer number of governmental agencies and the fact that a single generic service provider can be useful to many or all of them, forcing that business to go through hundreds of distinct ATO processes is unsustainable.
FedRAMP is the Federal Risk and Authorization Management Program. It was designed to promote a cloud-first approach to government agency service management and to streamline the ATO process.
What are the Differences Between FISMA and FedRAMP?
While both are aimed at getting authorization to operate with government agencies, there are important differences between the two.
Scope: FISMA is broad and applies to any contractor or service provider, cloud or otherwise, working with the government, including agencies that do little other than receive grant money. FedRAMP is much more focused on cloud service providers.
Applicability: FISMA is the law and applies to many systems, agencies and organizations and typically FISMA requires additional reporting for modernization beyond security. On the other hand, FedRAMP is a one-to-many security authorization; achieving a FedRAMP ATO means the CSP can work with virtually any government agency, as long as that agency doesn’t have additional, specific controls that need to be implemented, such as the Department of Defense.
Rigor: FISMA is deep and complex, but it’s also less rigorous than the process required to achieve a FedRAMP ATO. Since a FedRAMP ATO applies to many more agencies – even if the CSP doesn’t have immediate plans to work with more than one – it requires a deeper and more thorough analysis and application of the NSIT SP 800-53 standards. It also requires a comprehensive audit from a certified third-party auditing organization or 3PAO.
Are There Other Frameworks?
Yes. Many other frameworks take the baseline developed by FISMA and FedRAMP and extend them into specific concerns and considerations.
For example:
- HIPAA. The Health Insurance Portability and Accountability Act establishes a framework based on NIST SP 800-53 that includes additional requirements and controls for personal and health information used by healthcare providers and administrators.
- DFARS. The Defense Federal Acquisition Regulation Supplement establishes additional controls and standards to work with the supply lines and agencies related to the Department of Defense. In particular, this includes an entire additional set of standards governing Controlled Unclassified Information, outlined in NIST SP 800-171.
- HITRUST. The Health Information Trust framework is similar to HIPAA, sort of like FISMA to FedRAMP; it’s a more general set of standards working with personal health information and can layer over and work with other frameworks, like HIPAA, ISO, and CMMC.
This is just scratching the surface with the various frameworks and standards that exist. At the end of the day, though, almost all of them have their start with NSIT SP 800-53 security controls and add their own requirements on top.
FISMA, FedRAMP, or Another Framework?
As you can see, determining which of the many applicable frameworks is the one you need to comply with is a huge decision for any cloud service provider looking to work with the government. In large part, it depends on three things: the services you provide, the kinds of information you handle, and the agencies you want to work with. Evaluating these three and identifying the highest minimum level of standards for a framework gives you the framework you will need to use.
If you want to work with the federal government or its agencies at all, in any capacity, or if you receive federal grant money, you need to comply with FISMA standards and achieve the Authority to Operate with the applicable agencies. This is the barest minimum possible requirement necessary to operate with the government.
If you want to work with more than a couple of government agencies, you are better served to work with the Joint Authorizations Board to achieve a P-ATO, or Provisional Authority to Operate, under the FedRAMP standards. This allows you to work with numerous agencies without having to go through equally as many auditing processes.
If you have specific concerns above and beyond basic services, such as working with CUI, working with PHI, or handling other kinds of sensitive information, you will have to evaluate whether or not that information requires you to comply with additional standards above and beyond basic NIST SP 800-53 security controls. (Hint: The answer is yes.) Then, identify which one and what additional security controls you need to implement.
This is all a large and complex task. Fortunately, you don’t need to handle it all on your own. At Ignyte, we can serve three roles for you. The first is information; by reading our blog, inquiring with our staff, and working with us, you can figure out exactly what level of security compliance you need to achieve. The second is operational; by using the Ignyte Platform, you can create a centralized informational database of all of your business services and the required security controls for each, along with their status. Finally, third is as an auditing authority; as a certified 3PAO, we can help you achieve certification and compliance so you can start your journey working as a government contractor.
To learn more about any of these, feel free to reach out at any time.
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.