At the end of September of this year, a bill was passed by the U.S. House of Representatives and proceeded on its way to the Senate. This bill is important because it aims to improve security among the federal government’s cloud services. It would necessitate changes to current FISMA legislation and affect mainly CSPs serving by federal government agencies.
Read on to learn more about proposed updates to FedRAMP and FISMA and how they could impact cloud service providers.
What Is FedRAMP?
The Federal Risk and Authorization Management Program (FedRAMP) promotes the adoption of secure cloud services across U.S. government agencies by standardizing security assessments for cloud service technologies. Looking at the bigger picture, FedRAMP creates a partnership between the federal government and industry so as to modernize IT infrastructure while protecting federal information.
Before the existence of FedRAMP, cloud vendors had to meet different security requirements for each federal agency. The establishment of this program works to eliminate duplication by providing a common security framework. Using a common framework makes it possible for agencies and cloud service providers to reuse authorizations. Government agencies now review a standardized set of security materials against one, common baseline. A cloud service offering is authorized once and, then, the security package can be used again by any federal agency. Overall, this saves money, time, and effort for both agencies and cloud service providers.
How FedRAMP Authorization Works Currently
There are two approaches to obtaining FedRAMP authorization: through the joint authorization board (JAB) or through a specific federal agency. Both options require the same deliverables to promote reuse across the federal government. Documentation materials are compiled by cloud service providers and third-party assessment organizations (3PAOs) and convey the risk associated with the cloud service offering. Then, the documentation is reviewed by any agency that is looking to use a given cloud service product.
The CSP decides which authorization path to take. For the first path, the JAB uses a process called FedRAMP Connect to prioritize cloud products for a provisional “Authority to Operate” (ATO). The CSP must demonstrate government-wide demand. In the second option, agencies may work directly with the cloud service provider for authorization at any time.
Regardless of which approach a CSP chooses, there are generally three phases to this process: preparation, authorization, and continuous monitoring.
- Preparation – The CSP prepares to undergo the authorization process. They make any necessary technical and procedural adjustments to meet federal security requirements and prepare the security deliverables required for authorization. This also includes engaging third-party assessment firm to perform an independent audit of the system.
- Authorization – For an agency authorization, the agency conducts a security package review, performs a risk analysis, accepts risk, and issues an ATO. This determination is based on the agency’s risk tolerance. For a JAB authorization, the JAB reviews CSP security package and issues a PTO for the cloud offering. These security packages–either authorized through the JAB or agency–are added to the secure FedRAMP repository (also called the FedRAMP marketplace) for agencies to review, perform risk analysis, and reuse.
- Continuous Monitoring – All CPS must complete an annual assessment, monthly vulnerability scans, incident reporting, as well as deviation and significant change requests.
How Secure Cloud Services Are Made Available for Federal Agencies
Once a cloud service offering enters the authorization phase, it can be listed on the FedRAMP marketplace. The marketplace is the definitive source for FedRAMP -authorized service offerings. Here, government employees can search and sort through the database to find cloud services that are available for government-wide use. CSP products on the marketplace are designated as: ready, in-process, or authorized.
‘Ready’ is a designation that indicates that a 3PAO attests to a CSO’s security capabilities and that a readiness assessment report has been reviewed and deemed acceptable. ‘In-process’ is a designation provided to CPS that are actively working towards a federal ATO through either the JAB or specific federal agency. Finally, ‘authorized’ is the designation that confirms the successful completion of the federal authorization process. The federal marketplace also lists the accredited assessors who can perform FedRAMP assessments.
Proposed FedRAMP Authorization Act
On September 29, 2022, the House approved a bill that would sign the Federal Risk and Authorization Management Program into law. Though FedRAMP has been operating for 11 years now, under the General Services Administration (GSA), this bill would formally authorize the PROGRAM in support of greater national security.
FedRAMP is responsible for governing risk management and monitoring for government cloud services. It outlines the standards that CSPs must meet in order to take part in the government market for cloud services, a market that is valued over $10 billion.
FedRAMP works to standardize security assessments, authorization, and continuous monitoring of cloud services utilized by federal government agencies. As it stands, cloud service providers are required to get Authority to Operate (ATO) attestation in order to serve federal agencies. And these new updates would help make the evaluation process faster, easier, and more predictable for CSPs.
What Changes Are Expected?
With regard to the FedRAMP program, changes are not expected in relation to ATO requirements for cloud service providers. Instead, the proposed Act is designed to reduce redundancies and eliminate differences and agency-specific requirements in the current review/approval process for cloud services. More specifically:
- Facilitate the adoption of cloud technology that has already been ATO approved.
- Eliminate the need for cloud technologies to undergo redundant security assessments when in order to serve multiple government agencies.
- Require the GSA to automate more of its processes to speed up FedRAMP assessments, further standardize the process, and support continuous monitoring.
- Establish a Federal Secure Cloud Advisory Committee to oversee discussions between agencies and drive improvement in the acquisition and adoption of secure cloud services.
- Formulate a joint authorization board comprised of cloud industry and technical cybersecurity experts.
As the FedRAMP Authorization Act stands, it would push a few key updates to FISMA as well.
- It would require federal agencies to report data breaches in certain situations.
- It would require federal agencies to perform risk assessments on a regular basis.
Now What?
We will have to wait and see. At the moment, the FedRAMP Authorization Act is up for vote by the U.S. Senate.
Related article: Keep Data in the Cloud Safe with the Right CSP Audit.
Looking for professional advice on getting a FedRAMP ATO? Contact I.S. Partners today to discuss your objectives and how we can help your organization reach them.