FedRAMP

Federal Risk and Authorization Management Program (FedRAMP): FedRAMP basically means ‘NIST A&A for The Cloud’. As the Government is mandating the use of cloud-based solutions across more and more Federal systems, commercial Cloud Service Providers (CSPs) as well as cloud-based solution developers should look into requirements for being FedRAMP authorized.

If you are hosting Federal information and rely on cloud-based technology, you, Sir, should get your system FedRAMPed now!

As stated above, FedRAMP is NIST for cloud systems – FedRAMP security controls are a mashup of NIST controls and FedRAMP enhancements, specific to cloud technologies. The number of controls and the effort of authorization increase depending on which ‘as a service’ your solution is.

That's Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS). One caveat and nifty thing about FedRAMP is that it is tiered…meaning, a SaaS approval will be easy (relatively) only if residing on an already-approved PaaS / IaaS because that SaaS would ‘inherit’ a large number of already-validated controls from the CSP. Make sense?

Anyway, these are the things you can expect from a FedRAMP assessment:

 

Pretty much everything for RMF and NIST assessments would be required for FedRAMP authorization - just add in some FedRAMP enhancements and you get the picture. (DoD systems would require RMF additions and the use of the Cloud Computing SRG.)

Depending on how wide of a net you want to cast, Federal Agency AOs, DoD Component AOs, or the FedRAMP Joint Authorization Board (JAB) would authorize your cloud solution. There is limited reciprocity across AOs but JAB approvals should be accepted by Federal or DoD entities. 3fold can assist in determining the best strategy for authorizations aligned with your business plans.

The FedRAMP office has eliminated conflict of interest between system engineering efforts and assessment teams so, as such, there are strict limitations on how consultants are used to implement FedRAMP controls versus who can validate them. There are no limitations on who can help configure FedRAMP controls, but, for JAB authorizations, an approved Third Party Assessment Organization (3PAO) is required to verify compliance.

I bring this up because we prefer to help implement. Working directly with your engineers and leadership, we’ll help you through the process of getting FedRAMP controls implemented and we’ll set you up with the best-fit 3PAO once the FedRAMP package is ready for validation and submittal. That being said, 3fold is in the process of becoming a 3PAO so stay tuned.

Whatever your need is in the Federal compliance world, 3fold is here is help. In the spirit of simplifying security, our advisors will appreciate your business requirements, help you and your leadership team understand exactly what’s needed – what’s under your control and what isn’t – and be your trusted advisor. Come to the experts…come to 3fold.