FedRAMP Certification: An Overview of Why It Matters

Cloud Service Providers seeking certification may see a more efficient authorization process utilizing Portal26’s encryption and vault technologies.

Cybersecurity is now in the spotlight as data breaches become a near-daily story. Organizations are consuming massive amounts of personal data that is directly tied to everyday people, and they’re often utilizing cloud-based services to help store them. This can be as commonplace as using your Gmail account at work or in personal correspondence. However, when the data involved is government data, security concerns become even larger.

To help combat the risk of government data seeing unsanctioned public exposure, the U.S. government requires federal agencies that are using cloud services to meet a set standard of security: FedRAMP.

What Is FedRAMP?

FedRAMP, also known as the “Federal Risk and Authorization Management Program,” is a standardized cybersecurity program designed to ensure all federal data is protected consistently and at a high level. Adopted in 2012, shortly after cloud services began gaining traction among organizations, FedRAMP initiated a clear and consistent process of requirements and steps in order for cloud service providers that are seeking to work with federal agencies. Prior to this standardization, these same providers were required to formulate their own packages for each agency and were often inconsistent with one another. The security standards were also unclear and varied between providers and agencies.

Through FedRAMP certification, cloud service providers can meet the outlined requirements and only go through one authorization process. Once this process is completed, any federal agency can use that provider’s security package.

Cloud service providers can look to begin certification in two ways: through an individual agency or the Joint Authorization Board (JAB).

How Long Does FedRAMP Certification Take?

Cloud service providers looking to work with government agencies should first consider if they’d like to certify through the JAB or an individual agency.

Providers certifying through the JAB first undergo a readiness assessment that determines the security risks involved. If the provider is deemed ready, they will then receive a full security assessment, an authorization process and ultimately their FedRAMP certification with continuous compliance monitoring. This process can take anywhere from roughly seven to nine months to complete.

Providers certifying through individual agencies may see a more expedited timeline. Those who have received business interest from specific government agencies have the benefit of skipping an initial readiness assessment. Instead, the agency walks providers through each step and provides the full security assessment. If this assessment is successful, providers just need to pass the authorization process and then continuous compliance monitoring. This process can take anywhere from roughly four to six months to complete.

Steps to FedRAMP Compliance 

Regardless of which path providers choose, there are four main steps to FedRAMP compliance:

• Package development. The process begins with an initial authorization meeting followed by developing a completed System Security Plan. Finally, an approved third-party develops a Security Assessment Plan.
• Assessment. This occurs through a Security Assessment report submitted by the assessment organization. Meanwhile, the provider creates a Plan of Action & Milestones.
• Authorization. Either the authorizing agency or the JAB then determine if assessed risks are acceptable. If providers pass, the authorization party submits an Authority to Operate Letter and the provider is then listed in the FedRAMP Marketplace.
• Monitoring. The approved provider is then responsible for sending monthly security monitoring reports to each agency utlizing their approved product.

FedRAMP Compliance Requirements

FedRAMP certification can be a time-consuming and lengthy process, but there are some general guidelines providers can keep in mind when ensuring compliance:

1. Map your product to FedRAMP by performing a gap analysis. This ensures that the current environment is already in compliance with security requirements.
2. Receiving FedRAMP certification is an arduous process that needs support at all levels to succeed. Technical teams and executive leadership alike should be in agreement and working towards compliance together.
3. While pursuing certification through the JAB is an option, finding an agency partner is a great option for smaller organizations or those who know they may not have the proper resources alone.
4. Take the time to accurately define your product’s authorization boundary, including the internal components, external service connections, and the flow of federal information and metadata.
5. Understand that FedRAMP certification is a continuous process where provider security measures are constantly monitored to ensure that they are up to date.
6. If you have multiple products, take the time to consider whether you will need one authorization or multiple.
7. Utilize FedRAMP PMO and the templates offered to help prepare cloud service providers for FedRAMP compliance.

FedRAMP Baselines

There are also four impact-level categories used for risks associated with different services, including the potential impacts of a security breach in three areas: Confidentiality, Integrity and Availability.

These areas determine whether risks associated are categorized as:

• High. These are systems associated with devastating results to the organization or individuals should data be compromised or unavailable, such as law enforcement, financial institutions or health systems.
• Moderate. The majority of systems fall under the moderate category, meaning loss of data confidentiality and availability would have severe, although non-life threatening or life ending, implications .
• Low. These systems see little adverse effects on agency operations, assets or individuals if data is compromised or unavailable.
• Low-Impact Sofware-as-a-service (LI-SaaS). Also known as FedRAMp Tailored, this level was included to help low-risk use cases receive certification. These systems do not store personal identifiable information (PII) beyond general login capabilities.

While the first three impact levels are determined by the Federal Information Processing Standard (FIPS) 199, the fourth is based on the National Institute of Standards and Technology’s (NIST) Special Publication 800-37.

Should You Seek FedRAMP Certification?

While some cloud service providers may not be interested in working with federal agencies, it’s worth considering. Being FedRAMP compliant opens new avenues for the opportunity and future partnerships that otherwise would be unavailable. Cloud service providers who are considering FedRAMP certification but are unsure of the time investment may have another way to quicken the compliance process: security technologies already certified in FIPS.

An example of such a technology is , Portal26. Portal26 provides strong security controls in the form of various types of NIST FIPS 140-2 validated encryption as well as several other privacy preserving formats. The huge advantage Portal26 has over other encryption solutions is that Portal26 enables data to extend FIPS 140-2 validated encryption even beyond encryption at-rest and in-transit, to also include data-in-use. All of Portal26’s data security modules are FIPS 140-2 certified. This means that if your environment is utilizing any of these modules, you could already be eligible for the FIPS certification utilized to determine impact levels. By applying Portal26’s encryption and vault technology to data in transit, at rest and in use, providers already have an advantage in the process.

For more information on FIPS certifications (FIPS-140 and FIPS 140-2) and how they relate to FedRAMP compliance, keep an eye on Portal26’s upcoming blogs. Alternatively, providers ready to begin their FedRAMP and FIPS certification processes can contact the Portal26 team at info@titaniam.io or visit the resources area of the FEDRAMP website directly.