We’ve talked a lot about the process a business goes through to achieve FedRAMP authorization and the ability to work with a government department or agency. What about the other side of the coin? What happens if you lose that authorization?
Depending on how and why, the consequences can range from minimal to dire, so it’s important to know and be prepared.
BLUF - Bottom Line Up Front
BLUF - Bottom Line Up FrontSummary unavailable. Check response or configuration.
First, let’s talk about the three different ways authorization can be lost.
The first is unwillingly. This is likely the one you’re most interested in: it’s what happens when you no longer maintain security to the standards of FedRAMP, fail an audit, fail remediation, don’t handle your POA&Ms properly, and generally just stop adhering to the security standards properly. When you no longer comply with the program, your authorization to work with the government will usually be revoked, and there may be additional penalties besides.
The second is through agency separation. If you’re doing business with an agency, but that agency decides they no longer want to use your service, they can choose to sever the contract from their end. The agency notifies you that they no longer intend to use your product, which rescinds your authorization to operate with that agency.
The third is through CSP separation. As a CSP, if you choose to no longer operate with the federal government, you can decide to withdraw from the program and your government contracts.
Now, let’s go through each of these. We’ll take it in reverse order, since that’s the order of escalating consequences for the CSP.
When the CSP Decides to Withdraw
First, we can talk about what happens when the CSP decides to withdraw from the FedRAMP program.
This is generally the least impactful to a CSP, largely because it’s their decision. You aren’t surprised by it, you don’t have a tight timeline (generally speaking) to deal with it, and it’s all within your control.
The specific terms (and any potential penalties) that stem from this withdrawal will be determined by the contract you have with your agency sponsors. Most of the time, as long as you’re letting a contract expire, all you lose is that contract. You stop working with the agency, the agency stops using your product, and you no longer have a contract with the government.
At some point, the CSP will also be removed from the FedRAMP marketplace. Generally, this will be either the result of sending a notification to FedRAMP’s program management office, but it can also happen when you simply fail to continue submitting CONMON data, undergoing audits, or no longer have a valid ATO letter.
Once your listing is removed from the FedRAMP marketplace, you officially are no longer part of the FedRAMP ecosystem. You’re free to stop adhering to FedRAMP’s security framework, you can make whatever internal changes you want to your offering, and can do whatever you want, in business terms.
The only potential hazard here is if you continue to present yourself as FedRAMP-authorized or validated in your marketing to entice private sector customers. Using FedRAMP trademarks or claiming FedRAMP authorization when you no longer have it could constitute fraud and can be punished accordingly. So, don’t forget to remove those lines from your landing pages and marketing, if they were being used in the first place.
When the Agency Decides to Withdraw
We often think of the government as slow to act and even slower to make significant changes. That’s largely true, but it can still come as a surprise for your agency sponsor to notify you that they no longer want to use your services.
There are many reasons why a government agency might stop using the services of a CSP. Maybe you’ve removed a feature they wanted, or you’ve taken your platform in a direction that makes it less valid for the tasks they were performing with it. Maybe they have functionality in a different service that replicates yours, but with better service, and they want to change. Maybe the reason they used you has simply fallen by the wayside, and there’s no more need for your services.
Whatever the case, your agency decides they no longer need your services. What happens? FedRAMP has a simple answer.
The first step is that the agency will notify the CSP that they plan to rescind their authority to operate, citing “no longer plan to use the service” as the reason. This part is critical; it’s how FedRAMP knows that the CSP is losing authorization for a reason that is not a failure to uphold the standards of FedRAMP security.
Once the agency has notified the CSP, they will also notify the FedRAMP program management office through an email CCed to the CSP. This notice will include a specific date in the future (often when the current contract is due to expire) as the date when the ATO will be rescinded.
This leaves the CSP in a potentially precarious position, depending on its authorization and contracts. One of several things can happen.
If the CSP has other agency customers, business will basically continue as usual. The CSP doesn’t lose FedRAMP authorization in general, just the one agency customer. They can continue to work with other agencies on an uninterrupted basis.
There’s no real consequence here other than no longer having that one contract. In rare cases, this might be cause to downgrade impact levels or shift security standards, but most of the time, it’s no significant change.
If the CSP has no other agency customers, it has two choices. They can either drop out of the FedRAMP program or seek additional agency sponsorship.
Note that traditionally, this is where there would be a divergence between the CSPs using the ATO process and those using the P-ATO process. However, the P-ATO process (the JAB authorization process) has been removed, so this distinction no longer matters.
Officially speaking, the CSP is still part of the FedRAMP program even if they have no agency customers, as long as they have a listing in the FedRAMP marketplace. The CSP must:
- Continue to submit monthly continuous monitoring deliverables to the FedRAMP repository (or, if they’re part of the pilot program, to the trust center.)
- Continue to undergo annual assessments as before, even without agency sponsorship. If you don’t have a 3PAO audit scheduled, you may not be able to schedule a new one, but if you already had one scheduled, it isn’t automatically cancelled.
- Be available to deliver a risk briefing to any new agency that decides they would be interested in using the CSP’s services from the marketplace.
While the CSP no longer has an active government contract, there’s very little change from the FedRAMP side. One significant change, however, is to the listing the CSP has in the FedRAMP marketplace.
Specifically, FedRAMP will add a disclaimer to the marketplace listing. Since no agency is overseeing or reviewing the CSP’s submissions, they aren’t validated the way they normally would be. FedRAMP adds this to the listing:
“**This cloud service offering lacks continuous monitoring oversight from FedRAMP or any federal agency. Agencies considering using this service should review the Cloud Service Provider’s security documentation in their secure repository, directly coordinate with the CSP, and conduct their own evaluation before making an Authority to Operate (ATO) decision. Once an agency issues an ATO, agencies should submit their ATO letters to FedRAMP.”
Other agencies can consider picking up the CSP and keeping their federal relationships rolling, or they may be hesitant to do so, depending on whether or not they want to assume any potential risk.
The third option is to drop out of FedRAMP entirely. If the CSP’s sponsoring agency decides to stop working with them, it’s a chance for the CSP to decide that government work is too high a burden or not worth the effort and drop out of authorization. There are no serious repercussions for doing so; you lose your FedRAMP marketplace listing, but you don’t lose any contracts because you didn’t have any left.
The only downside is that, if you change your mind later and want to reapply to the FedRAMP program, you will have to go through all of the work as if you had never done it before. You don’t get a streamlined, easy-in because you were previously authorized. The only advantage you have is experience in being secure and potentially an existing relationship with a 3PAO.
Non-compliance, or unwilling removal from the FedRAMP program, is the most dangerous of the three ways to exit FedRAMP.
This is where you are in breach of contract and, potentially, federal law. Since you’re potentially putting sensitive government information at risk, there are almost definitely going to be penalties.
First of all, you’ll lose authorization with the agency or agencies that work with you. When you no longer uphold the security standards of FedRAMP, you can’t be part of the FedRAMP program. No, it doesn’t matter if you’re secure in other ways (such as a validated ISO 27001 security level); you need to follow the specific rules.
Federal contracts generally have some leeway here. After all, you might be noncompliant due to an error in paperwork or a minor, low-risk lapse in some offshoot of security that doesn’t really matter. You have the opportunity to fix the issue and get back in good standing. Agencies and FedRAMP might side-eye you a little, but there won’t be penalties beyond that.
If you fail to get back into good standing, though, you’ll lose your contracts. Often, these contracts also have specific terms and enumerated penalties for early termination, which can range from punitive to devastating. There’s no one set of penalties, and the penalties are typically more severe the higher your impact level, so be sure to know the terms of your contract.
Often, there will also be monetary fines involved. Similarly, there’s no set standard for how much those would be, but they tend to be significant.
Beyond that, there can even be criminal penalties, especially if it’s found that your company has misled the government about your security posture. One recent example involved charges of wire fraud, government fraud, obstruction, and more, with up to 20 years in prison for the stakeholder responsible.
This can cascade, as well. If a CSP is found in violation of security for one contract, other contracts (including those in the private sector) will start looking to see if they’re impacted as well. Similarly, if the CSP was working as compliant under other frameworks, like HIPAA, SOC2, ISO 27001, or even GDPR, they may also be found in violation of those and suffer even more severe penalties.
Even if no criminal negligence or fraud is discovered, a company that loses FedRAMP authorization due to noncompliance is likely going to suffer at least some reputational damage, making it harder for them to win contracts later.
Finally, if the CSP decides to clean up its act and get back in the good graces of FedRAMP, it may be forced to wait several years first. After that, they’ll have to go through the full authorization process, but both agencies and the PMO will put increased scrutiny on them to validate security. A second failure would undoubtedly come with even more severe penalties.
Maintaining FedRAMP Compliance
Keeping in the good graces with FedRAMP isn’t as difficult as it might seem. It does, however, require a lot of active monitoring, proactive action, and record-keeping.
This is where we come in. We designed the Ignyte Assurance Platform to be a robust and customizable dashboard that can track and monitor your compliance according to your efforts and documentation. It can serve as a great tool to keep on top of your continuous monitoring and help you identify and stop gaps before they happen.
While the Ignyte Platform can’t stop you from committing fraud, we can help you avoid noncompliance through accidental gaps and other issues. To see how and what we can do for you, simply click here to get started and see a demo in action.
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.