On Wednesday we promised you more coverage of FedRAMP (Federal Risk and Authorization Management Program). And so, here we are with the aforementioned promised coverage. You didn’t think we’d go and break our promise now, did you? We’d never do something like that. We keep our promises; that’s just the kind of cloud data center hosting company we are.
Anyways, you’ll remember from our previous blog post on the matter that FedRAMP is a program that was first envisioned by the government a few years back as a way to streamline the process of federal government agencies moving into the cloud. Since agencies have to operate under strict rules and regulations – many of which are unique to the many individual agencies – to secure their data, convincing them to put their data on cloud servers has been a difficult undertaking for the federal government. So while private and public organizations of all sizes have been flying into the clouds faster than Maverick and Goose in Top Gun, the U.S. government has been staying mostly grounded.
FedRAMP aims to change all of that by simplifying and standardizing the processes for assessing risks, mitigating them and ensuring that agency data will be safe and sound with approved cloud hosting companies. How exactly do cloud data centers become FedRAMP compliant? That’s a very good question. Let’s take a look.
How to Become a 3PAO FedRAMP Provider
Before FedRAMP was in place there were absolutely no standards or guidance materials for cloud service providers to become viable hosts for federal government agencies. So not only did the government not know what to look for, but the hosting industry didn’t know what to show it. That, as you might imagine, was kind of a problem. Working with the National Institute of Standards and Technology, FedRAMP’s creators put together a conformity assessment process “to ensure the independence of and the management and technical quality of 3PAOs [third-party assessment organizations] using a standard and consistent security assessment process.”
So these 3PAOs – who may or may not be in some way related to C-3PO from Star Wars – are necessary for providing independent verifications and validations. You see, in order for someone to become an official cloud service provider to the federal government, they must be reviewed and authorized by a FedRAMP-accredited 3PAO in order to certify that they have the necessary security measures required by the program in place. This makes for a streamlined assessment process, ensuring that everyone in the pool of providers from agencies meets at least the bare minimum cloud data security requirements of the program.
Getting back to the original question in bold up above, any organization wishing to become a third-party assessment organization must pass a rigorous conformity assessment process before receiving accreditation. Basically, the assessors themselves must be assessed before they start, you know, assessing. In highly technical internet meme terms, that means the government has put some assessments in your assessments so that you can get assessments while you’re getting assessments.
In any case, there is a formal set of requirements for becoming a 3PAO, and they are as follows:
- Independence and quality management in accordance with ISO/IEC 17020: 1998 standards
- Information assurance competence that includes experience with FISMA and testing security controls
- Competence in the security assessment of cloud-based information systems
Once an organization has been elevated to 3PAO status, it can then begin performing assessments on cloud providers so that they can then begin pursuing federal agency cloud contracts. Now, the 3PAOs are required to perform an initial assessment (which is pretty much the word of the day at this point) to determine whether or not a cloud host can join the list of official cloud service providers (CSPs). But it doesn’t end there. This is the federal government and data security we’re talking about here after all, so it’d be pretty foolish to assume things were that easy. The 3PAOs must also perform periodic compliance evaluations to guarantee that compliance to the FedRAMP program is maintained.
The CSPs will be subjected to security assessment plans designed by the 3PAOs and will have tests of their cloud security elements performed on a regular basis. Once these steps are conducted, a security assessment report is then completed by the reviewing 3PAO. And just like that, a cloud hosting company is an eligible government CSP. Easy.
How to Become a FedRAMP-Compliant Cloud Host
Of course, 3PAOs aren’t just going to stamp everyone who applies as “approved.” There is a list of requirements that hosting companies must meet in order to become compliant. Companies must pay all costs associated with independent assessments by accredited 3PAOs. They must also do the following:
- Use the baseline controls and accompanying FedRAMP requirements
- Directly apply or work with a sponsoring agency to submit an offering for FedRAMP authorization
- Hire a third-party assessment organization to perform an independent system assessment
- Create and submit authorization packages
- Provide continuous monitoring reports and updates to FedRAMP
So there’s all that to be considered. But that still doesn’t actually tell you anything about what the assessment process entails. How the heck do you get ready for it? How can you be sure you’ll pass it? Well, few things in life are sure things; however, the government has put together an extremely handy list of guidelines for becoming a FedRAMP-compliant CSP. You know what that means: it’s time for another list. Let’s follow Uncle Sam’s lead from the official FedRAMP guidelines on this one and switch to a numbered list instead of a bulleted one. Ready? Here we go.
- You have the ability to process electronic discovery and litigation holds
- You have the ability to clearly define and describe your system boundaries
- You can identify customer responsibilities and what they must do to implement controls
- System provides identification & 2-factor authentication for network access to privileged accounts
- System provides identification & 2-factor authentication for network access to non-privileged accounts
- System provides identification & 2-factor authentication for local access to privileged accounts
- You can perform code analysis scans for code written in-house (non-COTS products)
- You have boundary protections with logical and physical isolation of assets
- You have the ability to remediate high risk issues within 30 days, medium risk within 90 days
- You can provide an inventory and configuration build standards for all devices
- System has safeguards to prevent unauthorized information transfer via shared resources
- Cryptographic safeguards preserve confidentiality and integrity of data during transmission
Once you can check off all of those points, then you’ll need to initiate participation in the program by turning in a FedRAMP Initiation Request form. The web-based form is located on the program’s official website. The form requires cloud hosts to provide system categorizations and note the information types based upon NIST SP 800-60 V2 guidelines. It’s recommended that CSPs begin researching suitable 3PAOs while awaiting a response from the government after submitting the form.
Once that’s done it’s time for you – you guessed it – even more forms! Is it worth your time as a cloud host to go through this long and strenuous process? Stay tuned for our next blog post exploring government agency FedRAMP cloud adoption to find out.
Image Source: GSA