FedRAMP is how clouds will be authorized for use in the Federal government. With it, the government to authorize a cloud for use just once, instead of forcing each agency to authorize the same cloud over and over. The FedRAMP program office published a CONOPS document, which sketches out how everything will work. It’s tedious. Don’t worry: I read it, so you won’t have to.
The first thing you need to know about FedRAMP is that it’s based on the existing FISMA process. FedRAMP is really just FISMA, plus some procedures and rules so it can be used for clouds. If you aren’t passingly familiar with FISMA, it may be worth reading about that first before trying to get your head around FedRAMP.
A pet peeve: FedRAMP is not a certification. Neither is FISMA. That word has a very specific meaning, and this is not one of them. It’s an authorization. If it was a certification, you could just do it once, and it would work for everyone. FISMA and FedRAMP don’t work like that. Do me the favor of correcting people when they say “FedRAMP certification.” There’s no such thing.
So how does it work? First, let’s look at everyone involved.
The Players
The FedRAMP PMO
The FedRAMP Program Management Office is run by GSA, and created this program. That’s about all you need to know.
The JAB
The Joint Authorization Board, or JAB, is comprised of the CIOs of DOD, DHS, and GSA and their staff. They own the FedRAMP controls, which you can think of as a catalog of available security mechanisms. Minimum password length? That’s a control. Armed dudes in front of a data center? That’s a control. The FedRAMP requirements are based on the more general NIST SP 800-53 controls, and add some cloud-specific provisions. The JAB comes up with these requirements, which must be incorporated into Agency procurement language.
The CSPs
Cloud Service Providers (CSPs, in the jargon) are the vendors: Amazon, Google, Terramark, and so on. They may apply to the JAB for authorization, or an agency can apply on their behalf.
The 3PAOs
These are the 3rd Party Assessment Organizations. 3PAOs fulfill the same role as a Common Criteria or FIPS certification lab. They review the vendor’s documentation, and confirm that the cloud vendor’s system does what their documentation says it does. They’re accredited by the JAB for now, but may be accredited by a private board in the future.
Chances are pretty good the same labs that already do Common Criteria and FIPS certification work will become 3PAOs, as well. There’s gold in those hills.
The Agencies
Under FISMA, the agencies are ultimately responsible for their compliance, and are therefore the ones who decide if a CSP gets an authority to operate (ATO). FedRAMP is just a tool to get the ATO faster and more consistently.
At the same time, FedRAMP, presumably using the GSA’s authority, requires that agencies contractually obligate CSPs to follow the FedRAMP rules. A little bureaucratic sleigh-of-hand there.
The Process.
Agency Authorization
CSPs can get an ATO from one agency or another, based on the FedRAMP requirements and whatever other requirements the agency may choose. This seems to be an optional first step, though CSPs that are already in use at the agency level will jump to front of the line for provisional authorization, as we’ll see later. It’s not clear (to me) whether an agency can grant an ATO to CSPs who have not been approved by an accredited 3PAO.
FedRAMP Provisional Authorization
Whether they have an ATO or not, FedRAMP needs a “security assessment package” from the CSP. This documents which controls are in place, what category of protection they’re shooting for under FIPS-199, and how they satisfy the FedRAMP requirements. This is similar to the FISMA documentation that’s already required for on-premise IT systems. If the CSP is already in use at an agency, this is mostly (hopefully) a repackaging of the documentation they already created.
The package is comprised of a system security plan (SSP), and a security assesment report (SAR). The SSP says what the CSP is doing, and the SAR says how well they’re doing it. If you’re familiar with the Common Criteria process, the SSP is like the security target and the SAR is like the lab report.
Speaking of labs, the CSP has hopefully contracted with a 3PAO by this point. Like the labs in the Common Criteria and FIPS certification processes, you can expect that the 3PAOs will work with the CSPs to determine what’s possible and what’s not, so the CSP is putting its best foot forward with the JAB.
The package is then reviewed by the 3PAO. Once the 3PAO approves, either an agency or a CSP can submit the package to the JAB for a security assessment. Because everything goes back to FISMA, the assessment is based on the NIST SP 800-37 process.
The JAB is responsible for its queue of package submissions. They determine the priority they give to a particular package, and will give preferential treatment to CSPs who are already in use and have an agency authorization. If everything’s in order, the JAB gives the CSP a FedRAMP Provisional Authorization.
With the provisional authorization in hand, the cloud can now be used by other agencies. If an agency wants to use the CSP, they can find the Provisional Authorization in the FedRAMP repository and say: “I’m going to do what that other guy did.” An agency can refer to the provisional authorization and add additional controls or requirements on top to grant the CSP an ATO. Note that the agency must still issue an ATO; as “mrfisma” puts it in the comments below, “any agency system owner who thinks they can completely outsource their FISMA compliance obligations by going to the cloud is mistaken.”
Continuous Monitoring
Once a CSP has a provisional authorization in the FedRAMP repository, they’re subject to an ongoing assessment and authorization process administered by the FedRAMP Program Office and DHS. They’ll be audited annually by their 3PAO. They’re on the hook for setting up an automated feed that allows FedRAMP and DHS to get real-time information for some key controls. They also have to follow OMB M-07-16 and NIST Special Publication 800-61 to cooperate with the government on incident response.
The whole time, FedRAMP is watching the CSP during this time to determine how things are working out. If they’re unhappy, they may revoke the provisional authorization.
FedRAMP Authorization
Just kidding! There is none. Remember, only agencies can grant authorizations under FISMA, so the best FedRAMP can do is provide a provisional authorization, which the agencies can use to grant an ATO more quickly.
Roadmap
So FedRAMP obviously can’t put all of this in place tomorrow, so they have a roadmap. I’ll just paste the diagram here for now, it’s pretty self-explanatory.
[The diagrams in the post come from the FedRAMP CONOPS document.]
[Updated 5 March 2012 to incorporate some excellent feedback from mrfisma, which you can find in the comments below.]
a technology job is no excuse 
Nice summary Gunnar. A couple of comments…
1)
J1. JAB stands for Joint Authorization Board, not
Joint Assessment Board.
2)
“2. “The FedRAMP control catalog is based on the
more general NIST SP
800-53 controls, and adds some cloud-specific additions.” Actually, FedRAMP did not add any new
controls to the 800-53 control catalog. What they did do was to make some
controls and/or control enhancements that may have only been required by NIST
as part of the FIPS-199 Moderate baseline, and made them applicable to Low
impact systems. Or take some of the High baseline requirements and make them
applicable to Moderate impact systems. FedRAMP assumes that no High impact
system data will be hosted on a CSP. They also defined parameters for
controls/enhancements that have variables in ways that are, presumably, more
appropriate for the shared environment of the cloud. But they did not dream up their own cloud-specific controls.
3)
“
Cha3. “Chances are pretty good the same labs that
already do Common Criteria and FIPS certification work will become 3PAOs, as
well.” I doubt it. We’re not talking about “lab” work here. The security
control assessment we’re talking about here is much more akin to an audit…
field work, performing the SP800-53A Interview, Examine and Test tasks to gather
and evaluate evidence of control operational effectiveness over time.
4)
“4. “Speaking of labs, the CSP has hopefully
contracted with a 3PAO by this point.” FedRAMP doesn’t expect to be issuing
it’s first list of accredited 3PAO’s until April at the earliest.
5)
“5. “The package is then reviewed by the
3PAO. Once the 3PAO approves,…” The 3PAO is the creator of the most
essential element of the package, the SAR. They don’t “approve” their own work product.
6)
“6. “If an agency wants to use the CSP, they can
find the Provisional Authorization in the FedRAMP repository and say: “I’m
going to do what that other guy did.” An agency can just reuse the
plain-vanilla provisional authorization,…” The agency leveraging the Provisional ATO must still issue their own
ATO, accepting the risk for THEIR data in the CSP environment. And keep in mind
that there will ALWAYS be some elements of some controls, even in a SaaS
environment, where the agency is responsible for implementation and monitoring.
Any agency system owner who thinks they can completely outsource their FISMA
compliance obligations by going to the cloud is mistaken.
7)
“7. “They’ll be audited annually by their 3PAO.” The
3PAO role is a single event, to perform the SP800-53A process and produce a
SAR. Some CSP’s may choose to take a “continuous compliance” approach and have
their controls independently assessed throughout the tri-annual reauthorization
period, saving the once-every-three-years fire drill to renew an ATO, but they’re
not required to do so.
LikeLike
Thank you. This is an amazing amount of feedback. I’ve already incorporated some of it, but I wanted to make sure I responded fully below.
Yup, you’re right — that’s bad english on my part, which I’ve corrected. The FedRAMP requirements still rely on 800-53, but make some changes and concessions to shared environments, as you say.
I was under the impression that 800-53r4 was going to include additional controls that were unearthed as part of the early FedRAMP process. Is that not the case?
You’re right, it’s different work, and I agree that the smaller guys wouldn’t get into the business just because it’s too labor-intensive. When I wrote that, I was thinking of the SAICs, BAHs, and CSCs of the world, who have the institutional patience for the lab accreditation process and the bodies to do that kind of work.
That’s right. I only meant to emphasize the consultative role of the 3PAOs, and that it’s unlikely a CSP would even start the process before they’d engaged a 3PAO. At least, I wouldn’t.
Sure, the SAR is created by the 3PAO, but the SSP is created by the CSP, and together they comprise the package.
The CSP or agency isn’t going to submit an SSP that makes claims not supported by the SAR, right? It’s not like the CSP throws everything over a wall to the 3PAO and blindly submits whatever SAR they get. There’s a whole deliberative process in there, and the CSP won’t complete the process until the 3PAO can produce a satisfactory SAR. So that’s very much like an approval.
…or maybe I’m completely misreading this part of the process?
Agreed. Love the way you put that. I’ve altered that whole paragraph to give you some credit, and to be less blithe.
Wow, I had a completely different reading. Page 38 makes it pretty clear that the CSP must be reassessed by the 3PAO annually, and none of the other continuous compliance items sound optional to me. In fact, I can’t find a reference to tri-annual reauthorization period. Where did you find this information?
LikeLike
I was under the
impression that 800-53r4 was going to include additional controls that were
unearthed as part of the early FedRAMP process. Is that not the case?
I haven’t had the
time to dig into R4 yet, but I did get a briefing from Ron Ross on the Overlay
concept embedded in it. I hope to give it a complete review in the next couple
of weeks.
The CSP or agency
isn’t going to submit an SSP that makes claims not supported by the SAR, right?
It’s not like the CSP throws everything over a wall to the 3PAO and blindly
submits whatever SAR they get. There’s a whole deliberative process in there,
and the CSP won’t complete the process until the 3PAO can produce a
satisfactory SAR. So that’s very much like an approval.
…or maybe I’m
completely misreading this part of the process?
No, as you’ve stated
it, I think we’re in complete agreement. I just wouldn’t use the word “approval”
with respect to the products of a 3PAO.
Wow, I had a
completely different reading. Page 38 makes it pretty clear that the CSP must
be reassessed by the 3PAO annually, and none of the other continuous compliance
items sound optional to me. In fact, I can’t find a reference to tri-annual
reauthorization period. Where did you find this information?
I stand corrected. I
missed that very important element in the ConOps (thanks again for your great
review of it!!!). The agency I work for (who assigned me to participate in the
FedRAMP development effort early on… about 1/3 of the ~1K comments they got
during the comment period came from me) is tightly coupled to the tri-annual
reauthorization cycle. That renewal guidance is from OMB and referenced in the
Supplemental Guidance for Control CA-6: Security Authorization in SP800-53R3,
where it says “OMB policy requires that federal information systems are
reauthorized at least every three years or when there is a significant change
to the system.”
Thanks again for your
excellent review of the ConOps doc.
LikeLike