How to Prepare for FedRAMP Certification, Part 2
By: Isaac Hur, TalaTek Senior FedRAMP/StateRAMP Consultant
Obtaining Federal Risk and Authorization Management Program (FedRAMP) authorization is a challenging process for companies that want their cloud solutions to be eligible for government contracts. But it is worth the effort and can provide a return on investment by opening the door to government business.
TalaTek recognizes and understands the unique requirements of obtaining this authorization, known as Authority to Operate (ATO). We went through the process ourself when obtaining an ATO for our TiGRIS Software as a Service, listed on the FedRAMP Marketplace. We are also a FedRAMP-accredited third-party assessor organization (3PAO), one of the only cloud service providers (CSPs) that is also a 3PAO, so we have insight on the role 3PAOs have both in advising and assessing CSP readiness.
In this blog, I put on my 3PAO hat to discuss some costs CSPs should anticipate up front as well as a couple of key ways they can start to prepare their systems and solutions for undergoing the authorization process.
Costs
Because of the expense, time, and learning curve involved in becoming FedRAMP authorized, it’s crucial to get key stakeholders, executives, IT staff, and technical SMEs to buy into the process from the beginning. Without this commitment, the effort is likely to fail.
One of the main costs to anticipate is engaging two separate 3PAOs: 3PAO advisors and 3PAO assessors. CSPs will also need to have dedicated internal SMEs with the technical skills to work with the 3PAOs to complete required documentation and to understand the assessor’s findings.
3PAO advisors. Though it’s understandable that companies want to reduce costs where possible, this is definitely a case where hiring FedRAMP-authorized 3PAO advisors to help prepare the required documentation and offer other crucial guidance can save both time and money in the long run.
CSPs may find it extremely difficult to prepare for the 3PAO assessors—which are required—without the 3PAO advisors’ assistance in developing the FedRAMP security and assessment (SA&A) package for the 3PAO assessors’ review.1 (The package includes 13 documents, some of which are FedRAMP templates that must be filled out, some of which the CSP must develop themselves.) Even CSPs with mature security postures gain from engaging a 3PAO advisor to make sure their documentation is current and complete and their authorization boundary correctly scoped. Many 3PAO advisors also serve as external points of contact for the CSP during the 3PAO assessment, reviewing assessment results and tracking findings and remediations.
After gaining their initial ATO, CSPs are not done. They must also undergo continuous monitoring to show they are remaining FedRAMP compliant.2 Their 3PAO advisors can provide continuous monitoring support activities, including managing and updating system documentation, maintaining the continuous monitoring plan, delivering monthly status reports, and managing POA&Ms.
3PAO assessors. The FedRAMP PMO requires a CSP to engage a 3PAO to attest to the CSP system’s readiness. This 3PAO assesses the initial SA&A package, prepares the Readiness Assessment Report (RAR),3 and assesses the CSP’s ability to meet FedRAMP requirements. This must be a different 3PAO than the 3PAO advisors. The assessments include on-site visits and in-person interviews as well as reviews of evidence and observation of processes. The FedRAMP PMO office advises that this process can take between two and four weeks.
Keep in mind that not every CSP passes their 3PAO’s RAR assessment on the first go around, and that’s completely okay! But that’s why it’s so important to be as prepared as possible before undergoing the 3PAO assessment so that the remediation required is minimal.4
Preparing Up-to-Date Documentation and Accurate Boundary Diagrams
CSPs undergoing FedRAMP authorization must show they meet all the security requirements for NIST 800-53 Revision 5.5 To see what they need to prepare, organizations can follow the FedRAMP PMO’s suggestion to perform a self-assessment using the RAR template.6 Key components are complete system documentation and accurate authorization boundary diagrams.
Documentation. The RAR template lists the required documentation, including the System Security Plan (SSP) and security policies and procedures that cover all the control families (see footnote 2 for a link to the Checklist). CSPs can review their policies and procedures against the checklist and the RAR template to be sure they have what’s needed or can start to develop what’s missing. (Yes, it’s a long and involved list—here is where a 3PAO advisor can help fill the gaps!)
Authorization boundary. The authorization boundary7 diagram and data flow diagram should describe in detail the cloud service offering’s internal services, components, and other devices as well as external communications/connections to external services. The
authorization boundary should be able to account for the flow of data of all federal information and metadata throughout the information system. Among many other details, it needs to reflect the tools, services and components mentioned in the SSP. (Yes, it’s a complicated and detailed set of diagrams—here again is where a 3PAO advisor can help with scoping and accuracy!)
CSPs can consult the FedRAMP PMO for assistance in meeting rigorous FedRAMP security requirements. As the many footnotes in this blog show, the PMO has checklists, guides, FAQs, blogs, and a variety of other resources. The FedRAMP Marketplace also lists authorized 3PAOs that CSPs can engage as either advisors or assessors.
In sum, it’s important to remember that the FedRAMP process is intended to be difficult to pass. That’s because government agencies need to trust that authorized CSP vendors listed in the FedRAMP Marketplace are secure, cost-effective cloud service solutions that meet NIST SP 800-53 Rev. 5 requirements.
And equally important for the CSP going through the rigorous process: establishing strong security program basics is a business best practice in its own right. It can not only harden their enterprises against costly hacks and ransomware attacks but also make them compliant with a variety of industry regulations. And these definitely provide a strong return on their investment.
1 See the first blog in this series, “The Importance of FedRAMP Authorization to Government Contractors” for more information on the process and the advantages of being FedRAMP and StateRAMP authorized.
2 See the FedRAMP Initial Authorization Checklist to get an idea of what’s involved.
3 See the Continuous Monitoring Strategy Guide for more details.
4 See RAR assessment details: https://www.fedramp.gov/assets/resources/documents/3PAO_Readiness_Assessment_Report_Guide.pdf
5 There are many other steps in the authorization process; see the CSP Authorization Playbook for more details.
6 See the CSP playbook in footnote 5 for more details.
7 See the link to the FedRAMP Documents/Templates site to download a RAR template.
8 FedRAMP Authorization Boundary Guidance: https://www.fedramp.gov/assets/resources/documents/CSP_A_FedRAMP_Authorization_Boundary_Guidance_DRAFT.pdf