FedRAMP: Driving Innovation in Government Agencies by Providing a Framework to Secure Cloud Infrastructures
For more than a decade now, the cloud has promised U.S. government agencies a place to store their data efficiently, a means of accessing nearly unlimited computing resources on an as-needed basis, and the capability to provide improved digital services to citizens—all at a much lower cost than on-premises computing infrastructures.
Because fulfilling their mission within the confines of a limited budget is vitally important to federal agencies, the Office of Management and Budget (OMB) issued its “Cloud First” policy in 2010. The goal of the policy was to encourage government agencies to take advantage of the cost benefits and operational efficiencies of the cloud services model while also maintaining high standards for data privacy and security. Although cloud utilization has grown by leaps and bounds since the Cloud First policy was introduced, with federal cloud spending having increased by 500 percent over that time period, government agencies continue to trail their private-sector counterparts when it comes to cloud adoption.
Security concerns are chief among the many reasons for this lag. Federal agencies are legally mandated to conform to security standards that are both stringent and complex. These were first outlined in the Federal Information Security Management Act (FISMA) of 2002, and are elaborated in the National Institute of Standards and Technology (NIST) Special Publication 800-53. But the initial version of the standards was created long before cloud services were in widespread use, and government agencies weren’t given clear guidance on how to adapt the standards for use in cloud environments. Because agencies are obligated to adhere strictly to FISMA standards, they needed a precise roadmap for how they’re to be applied in the cloud.
That’s what the Federal Risk and Authorization Management Program (FedRAMP) offers.
What Is FedRAMP?
FedRAMP is a government-wide risk management program. Its mission is to “simplify security for the digital age by providing a standardized approach to security for the cloud” and to “facilitate the shift from insecure, tethered, tedious IT to secure, mobile, nimble, and quick IT.” The program provides standards for security controls, risk assessment and mitigation, and continuous monitoring to ensure that those controls remain in place.
In essence, FedRAMP spells out in detail how FISMA standards are to be applied in cloud environments. It provides federal agencies with a consistent and uniform way to determine whether cloud services can meet government security standards. The intent is to streamline the procurement process as government agencies navigate cloud migration initiatives.
The framework outlines three different system impact levels (low, medium, and high) and elaborates on a set of controls that must be documented to be in place at each impact level. The system impact level designations are based on the severity of the adverse effects that could occur if data loss or unauthorized information disclosure were to occur. At all system impact levels, FedRAMP includes more security controls than FISMA does. It’s because cloud infrastructures tend to be more complex than on-premises systems that FedRAMP includes these additional security requirements in order to enforce the same standards.
The FedRAMP Authorization Process
For Cloud Service Providers (CSPs) and the vendors who wish to supply cloud offerings to federal agencies, obtaining FedRAMP’s security stamp of approval and Joint Authorization Board (JAB) or Agency Authority to Operate (ATO) is a costly and complex process. The undertaking demands that CSPs invest time, effort and resources into gathering documentation, completing training, and demonstrating compliance. Completing the process demonstrates the rigor and strength of a CSP’s commitment to information security.
Whereas FISMA assessments are completed at the individual agency level, FedRAMP assessments are carried out by authorized third-party assessment organizations (3PAOs). And while a FISMA ATO is granted by a single authorizing agency to a single CSP—a one-to-one process—receiving a FedRAMP authorization package means that any government agency can grant ATOs in order to use that vendor’s services. This supports the “do once, use many times” principle outlined in the Cloud First policy, and is a one-to-many process.
To obtain FedRAMP authorization, an organization must complete multiple steps, including:
- Accurately and completely inventory all IT assets that will be used to support federal operations.
- Document which CSP is responsible for which portions of infrastructures where there are “shared responsibility” models.
- Complete detailed System Security Plans to outline how security controls are implemented in great technical depth.
- Uncover gaps where required controls are not in place and develop a plan to remediate them.
- Implement automated processes to enable system administrators to monitor configurations and settings.
From Cloud First to Cloud Smart: Updating Policy to Promote the Use of Automation in Government Cloud Environments
Migrating to the cloud today offers government agencies benefits that extend far beyond cost savings, though they can still reduce expenditures too. Cloud providers now offer access to world-class computing capacity, Artificial Intelligence (AI)-powered applications, and the ability to connect employees anywhere in the world with data-driven insights in real-time. These technologies will give government agencies new opportunities to innovate and enhance their capability to serve their citizens while creating new efficiencies.
Recognizing these benefits, the OMB issued an update to Cloud First early in 2019. The Federal Cloud Computing Strategy—Cloud Smart—seeks to remove burdensome policy barriers to drive cloud adoption and promote more rapid innovation. In particular, Cloud Smart focuses on enhancing security by encouraging risk-based decision-making and increasing the use of automation. It also seeks to increase agencies’ flexibility when it comes to procurement in order to equip them with the tools they need in order to move to the cloud.