Imagine you’re the CEO of a cloud service provider called Cloudy Skies. Your company has developed a cutting-edge cloud storage service that you’re sure will be a hit with federal agencies. You’ve spent months preparing your security package and working with a 3rd Party Assessment Organization (3PAO) to conduct a security assessment.
Finally, the day arrives when you receive your FedRAMP authorization letter. You’re over the moon! You immediately start reaching out to federal agencies, offering your cloud storage service, and boasting about your FedRAMP authorization.
Everything is going great until you receive a call from an agency you’ve been trying to land as a client. They tell you they’re interested in your cloud storage service, but there’s one problem: you need FedRAMP authorization.
You’re confused and check your records, only to realize that you never submitted your security package to the FedRAMP Program Management Office (PMO). You completely forgot about that crucial step! Watch an animated short from Kitetoons about what can happen when you don’t have FedRAMP authorization.
Lesson Learned: Having FedRAMP authorization is essential for companies looking to do business with the federal government and growing number of private sector companies who require government-grade data security for the sensitive information.
Make sure to follow the FedRAMP authorization process carefully and thoroughly to ensure that you have the necessary authorization to do business with federal agencies.
What Is FedRAMP?
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach for evaluating and authorizing cloud services for use by federal agencies. If you’re a cloud service provider looking to do business with the federal government, obtaining FedRAMP authorization is crucial. Read the 2023 Forecast Report on cybersecurity and compliance, including FedRAMP, published by Kiteworks.
Navigating the FedRAMP authorization process, however, can be complex and time-consuming. Here is a step-by-step guide to help you get started.
Step 1:
Determining readiness for the Federal Risk and Authorization Management Program (FedRAMP) is an essential first step in obtaining FedRAMP authorization.
To determine your readiness for FedRAMP, you’ll need to review the FedRAMP requirements and determine whether your cloud service meets all of the relevant security controls. You will need to provide documentation to support your claims. Documentation may include information about your system security, contingency, and incident response plans.
In addition to reviewing the FedRAMP requirements, it’s also critically important to consider whether your organization is ready for the FedRAMP authorization process. Do you have the necessary resources and personnel to support the process? Are you prepared to undergo the security assessment and meet the many other requirements?
Overall, determining readiness for FedRAMP involves the following:
- Thoroughly reviewing the FedRAMP requirements
- Gathering the necessary documentation
- Ensuring that your organization is prepared to undergo the authorization process
By taking the time to evaluate and then ensure your commitment and readiness, you can improve your chances of success and streamline the process of obtaining FedRAMP authorization.
Step 2:
Once you’ve determined that your organization and your cloud service offering are ready for the Federal Risk and Authorization Management Program (FedRAMP), the next step is to choose a path to authorization.
FedRAMP Offers Three Levels of Authorization: Low Impact Level (LI), Moderate Impact Level (MI), High Impact Level (HI). Each level has different requirements.
The Low Impact Level (LI) is the least stringent of the three levels and is suitable for cloud services that handle only publicly available information and do not process, store, or transmit any controlled unclassified information (CUI).
The Moderate Impact Level (MI) is more stringent than the LI level and is suitable for cloud services that handle CUI and process, store, or transmit sensitive information.
The High Impact Level (HI) is the most stringent of the three levels. It is suitable for cloud services that handle sensitive information, such as personally identifiable information (PII) or critical infrastructure information (CII).
To choose the right level of FedRAMP authorization for your organization, you’ll need to determine the impact level of your cloud service based on the types of information it handles and the security controls you currently have in place. You should also consider the level of scrutiny and the level of resources (budget, personnel, time, etc.) needed to meet the requirements of each path.
By carefully choosing the most appropriate level for your cloud service, you will be better able to commit to and ensure that you meet the requirements and channel your resources appropriately through the authorization process.
Step 3:
The Federal Risk and Authorization Management Program (FedRAMP) requires that all cloud services undergo a security assessment by a 3rd Party Assessment Organization (3PAO) before being authorized. The 3PAO will conduct the security assessment and provide a report to the FedRAMP Program Management Office (PMO). Choosing a 3PAO is a critically important step in the FedRAMP authorization process.
To choose a 3PAO, you’ll need to consider several factors, including the 3PAO’s accreditation status, experience, and expertise. Only 3PAOs that the FedRAMP PMO has accredited are authorized to conduct security assessments for FedRAMP. You can find a list of accredited 3PAOs on the FedRAMP website.
In addition to considering the 3PAO’s accreditation status, you should also consider the 3PAO’s experience and expertise. Look for 3PAOs with experience conducting security assessments for cloud services similar to yours and with expertise in the relevant security controls and standards.
Finally, consider a 3PAO’s pricing and availability. Make sure to get quotes from multiple 3PAOs and consider factors such as the security assessment cost, the assessment process length, and the 3PAO’s availability.
By choosing a 3PAO that meets your needs and has the necessary experience and expertise, you can ensure that your security assessment is conducted smoothly and effectively.
Step 4:
Once you’ve chosen a 3rd Party Assessment Organization (3PAO) and gathered all of the necessary documentation, the next step in the Federal Risk and Authorization Management Program (FedRAMP) authorization process is to submit your security package to the FedRAMP Program Management Office (PMO).
The security package is an extremely thorough and comprehensive document describing your cloud service offering, your security controls, and your organization’s security policies and procedures.
To begin, you’ll need to create a FedRAMP Project Initiation Document (PID) that provides an overview of your cloud service and includes information such as the name of your organization, the name of your cloud service, and the impact level of your cloud service.
Next, you’ll need to gather all the relevant documentation, including system security plans, contingency plans, incident response plans, and other appropriate documentation. Be sure to include all of the documentation required by the FedRAMP requirements for the impact level of your cloud service.
Once you have all the necessary documentation, you’ll need to submit it to the FedRAMP PMO via the FedRAMP portal. You’ll also need to provide any additional information or clarification that the FedRAMP PMO may request.
Submitting your security package can be time-consuming, but it is a necessary step in the FedRAMP authorization process. By carefully gathering all the necessary documentation and presenting it in a timely and organized manner, you can improve your chances of success.
Step 5:
Once your security package has been reviewed and accepted by the Federal Risk and Authorization Management Program (FedRAMP) Program Management Office (PMO), the next step in the FedRAMP authorization process is to conduct a security assessment.
The security assessment is carried out by a 3rd Party Assessment Organization (3PAO) accredited by the FedRAMP PMO to conduct security assessments of cloud services.
The security assessment typically involves on-site and off-site testing to ensure that your cloud service meets the FedRAMP requirements. The 3PAO will review your documentation, test your security controls, and conduct interviews with some of your employees to ensure that your cloud service is secure and meets all of the requirements for your chosen impact level.
The security assessment process can take several weeks or even months, depending on the complexity of your cloud service and the number of security controls that need to be tested. It’s essential to be prepared for the security assessment and to work closely with the 3PAO to ensure that the evaluation is conducted smoothly and efficiently.
By completing the security assessment, you’ll be one step closer to obtaining FedRAMP authorization for your cloud service.
Step 6:
Once the security assessment is complete, the 3rd Party Assessment Organization (3PAO) will provide a report to the Federal Risk and Authorization Management Program (FedRAMP) Program Management Office (PMO). The PMO will review the information and determine whether your cloud service meets the FedRAMP requirements.
If the PMO determines that your cloud service meets all the necessary requirements for your chosen impact level, you’ll receive a FedRAMP authorization letter and be added to the FedRAMP Marketplace.
The FedRAMP Marketplace is a centralized directory of authorized cloud services accessible to federal agencies.
If the PMO determines that your cloud service does not meet the FedRAMP requirements, you’ll receive a report outlining the areas that need to be addressed. You’ll then need to address these areas and resubmit your security package for review.
The review and approval process can be complex and time-consuming, but it is an essential step in the FedRAMP authorization process. By completing the review and approval process, you’ll be able to do business with federal government agencies and certain private sector businesses.
