Just like any compliance or set of regulations, FedRAMP uses many acronyms and key terms to describe processes, standards, and regulations. This article explains key terminology that is used in the FedRAMP framework. You may already be familiar with some of these compliance terms and acronyms from other security frameworks.
FedRAMP – Federal Risk and Authorization Management Program
FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This is in support of the U.S. government’s objective to enable U.S. federal agencies to use managed service providers that enable cloud computing capabilities. FedRAMP is governed by a Joint Authorization Board (JAB) that consists of representatives from the:
- Department of Homeland Security (DHS)
- General Services Administration (GSA)
- Department of Defense (DoD)
The FedRAMP program is endorsed by the U.S. government’s CIO Council including the Information Security and Identity Management Committee (ISIMC).
CSP – Cloud Service Provider
This category of a company offers cloud computing to others, from the entire platform to specific applications. There are different functional options each provides, such as on-demand, self-provisioning, and subscription-based.
Three types of services that cloud service providers (CSPs) offer:
Infrastructure as a Service (IaaS) – Used for networking and infrastructure components, such as servers, routers, switches, and other hardware
Platform as a Service (PaaS) – Described as infrastructure and services for managing and running various applications with less complexity; this is popular in software development.
Software as a Service (SaaS) – This is for running a variety of business applications for different functions, like healthcare, sales, and financial.
Companies that offer these cloud deployment models include Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure.
The Federal Information Processing Standard (FIPS) 199 provides the regulations for systems and information for the Cloud Service Offerings (CSOs) for each provider. These offerings are organized into different impact levels (High, Moderate, and Low) cross-examined against the CIA (Confidentiality, Integrity, and Availability) security triad.
ATO – Authority to Operate
When a Cloud Service Provider (CSP) begins to work with an Agency in order to get authorized, this assigned agency will review the security, from infrastructure to controls, of the cloud deployment model.
There are typically 4 phases of this process for a CSP to be granted an ATO:
- Partner Establishment
- Full Security Assessment
- Authorization Processes
- Continuous Monitoring
JAB – Joint Authorization Board
The Joint Authorization Board (JAB) is the primary governance and decision-making body for the FedRAMP program. The JAB assesses and grants “joint provisional security authorizations on cloud solutions” applying universal, systematic methodology and practices from the industry. The stakeholders appointed in the JAB include Chief Information Officers from the Department of Defense, the Department of Homeland Security, and the General Services Administration.
The key responsibilities for the JAB include:
- Outline all FedRAMP-related stipulations.
- Authorize accreditation benchmarks for 3PAOs.
- Institute a primacy list for authorization package reviews.
- Analyze FedRAMP authorization packages.
- Permit joint provisional authorizations.
- Validate that these provisional authorizations are evaluated and reformed routinely.
PMO – Program Management Office
The FedRAMP PMO is responsible for the development of the FedRAMP program and manages its day-to-day operations. The PMO creates processes, guidance, and templates for Agencies and CSPs to use for the purpose of developing, assessing, and authorizing cloud systems in accordance with FISMA.
The FedRAMP PMO’s mission is to promote the adoption of secure cloud services across the Federal Government by providing a standardized approach to security and risk assessment.
P-ATO – Provisional Authorization to Operate
A FedRAMP P-ATO is the first step for a cloud service provider toward earning a FedRAMP ATO. It is considered a “preauthorization.” Once a cloud service provider is awarded a P-ATO, they have been granted preliminary approval from the JAB; this enables the CSP to begin work. Essentially, it is permission given to an organization to operate at the Moderate impact level by the FedRAMP Joint Authorization Board (JAB).
3PAO – Third-Party Assessment Organization
A Third-Party Assessment Organization (3PAO) is an organization that has been accredited to assist CSP’s and government agencies in meeting FedRAMP compliance regulations.
By using FedRAMP approved templates, these organizations evaluate cloud-based providers’ systems to ensure transparency and consistency in data security strategies. Per the U.S. General Services Administration’s (GSA), a 3PAO must meet the following requirements:
- Independence and quality management in accordance with International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 17020: 1998 standards.
- Information assurance competence that includes experience with the Federal Information Security Management Act of 2002 (FISMA) and testing security controls.
- Competence in the security assessment of cloud-based information systems.
For a full, updated list of FedRAMP 3PAO requirements, please visit FedRAMP 3PAO Requirements
SSP – System Security Plan
A System Security Plan (SSP) documents the controls that have been selected to moderate the risk of a system. These controls are determined by the Risk Analysis and the FIPS 199. Federal systems fall into either a Low, Moderate, or High category, per NIST’s guidelines.
An SSP provides information regarding the system owner, the name of the system, and lists the security controls selected for the system. Each control listing includes a detailed description that allows the system owner or auditor to confirm, or validate, the effectiveness of said control.
These are the key highlights for FedRAMP terminology, but you can visit the FedRAMP Glossary for a complete listing.