FedRAMP is how clouds will be authorized for use in the Federal government. With it, the government to authorize a cloud for use just once, instead of forcing each agency to authorize the same cloud over and over. The FedRAMP program office published a CONOPS document, which sketches out how everything will work. It’s tedious. Don’t worry: I read it, so you won’t have to.
The first thing you need to know about FedRAMP is that it’s based on the existing FISMA process. FedRAMP is really just FISMA, plus some procedures and rules so it can be used for clouds. If you aren’t passingly familiar with FISMA, it may be worth reading about that first before trying to get your head around FedRAMP.
A pet peeve: FedRAMP is not a certification. Neither is FISMA. That word has a very specific meaning, and this is not one of them. It’s an authorization. If it was a certification, you could just do it once, and it would work for everyone. FISMA and FedRAMP don’t work like that. Do me the favor of correcting people when they say “FedRAMP certification.” There’s no such thing.
So how does it work? First, let’s look at everyone involved.
The FedRAMP PMO
The FedRAMP Program Management Office is run by GSA, and created this program. That’s about all you need to know.
The Joint Authorization Board, or JAB, is comprised of the CIOs of DOD, DHS, and GSA and their staff. They own the FedRAMP controls, which you can think of as a catalog of available security mechanisms. Minimum password length? That’s a control. Armed dudes in front of a data center? That’s a control. The FedRAMP requirements are based on the more general NIST SP 800-53 controls, and add some cloud-specific provisions. The JAB comes up with these requirements, which must be incorporated into Agency procurement language.
Cloud Service Providers (CSPs, in the jargon) are the vendors: Amazon, Google, Terramark, and so on. They may apply to the JAB for authorization, or an agency can apply on their behalf.
These are the 3rd Party Assessment Organizations. 3PAOs fulfill the same role as a Common Criteria or FIPS certification lab. They review the vendor’s documentation, and confirm that the cloud vendor’s system does what their documentation says it does. They’re accredited by the JAB for now, but may be accredited by a private board in the future.
Chances are pretty good the same labs that already do Common Criteria and FIPS certification work will become 3PAOs, as well. There’s gold in those hills.
Under FISMA, the agencies are ultimately responsible for their compliance, and are therefore the ones who decide if a CSP gets an authority to operate (ATO). FedRAMP is just a tool to get the ATO faster and more consistently.
At the same time, FedRAMP, presumably using the GSA’s authority, requires that agencies contractually obligate CSPs to follow the FedRAMP rules. A little bureaucratic sleigh-of-hand there.
CSPs can get an ATO from one agency or another, based on the FedRAMP requirements and whatever other requirements the agency may choose. This seems to be an optional first step, though CSPs that are already in use at the agency level will jump to front of the line for provisional authorization, as we’ll see later. It’s not clear (to me) whether an agency can grant an ATO to CSPs who have not been approved by an accredited 3PAO.
FedRAMP Provisional Authorization
Whether they have an ATO or not, FedRAMP needs a “security assessment package” from the CSP. This documents which controls are in place, what category of protection they’re shooting for under FIPS-199, and how they satisfy the FedRAMP requirements. This is similar to the FISMA documentation that’s already required for on-premise IT systems. If the CSP is already in use at an agency, this is mostly (hopefully) a repackaging of the documentation they already created.
The package is comprised of a system security plan (SSP), and a security assesment report (SAR). The SSP says what the CSP is doing, and the SAR says how well they’re doing it. If you’re familiar with the Common Criteria process, the SSP is like the security target and the SAR is like the lab report.
Speaking of labs, the CSP has hopefully contracted with a 3PAO by this point. Like the labs in the Common Criteria and FIPS certification processes, you can expect that the 3PAOs will work with the CSPs to determine what’s possible and what’s not, so the CSP is putting its best foot forward with the JAB.
The package is then reviewed by the 3PAO. Once the 3PAO approves, either an agency or a CSP can submit the package to the JAB for a security assessment. Because everything goes back to FISMA, the assessment is based on the NIST SP 800-37 process.
The JAB is responsible for its queue of package submissions. They determine the priority they give to a particular package, and will give preferential treatment to CSPs who are already in use and have an agency authorization. If everything’s in order, the JAB gives the CSP a FedRAMP Provisional Authorization.
With the provisional authorization in hand, the cloud can now be used by other agencies. If an agency wants to use the CSP, they can find the Provisional Authorization in the FedRAMP repository and say: “I’m going to do what that other guy did.” An agency can refer to the provisional authorization and add additional controls or requirements on top to grant the CSP an ATO. Note that the agency must still issue an ATO; as “mrfisma” puts it in the comments below, “any agency system owner who thinks they can completely outsource their FISMA compliance obligations by going to the cloud is mistaken.”
Once a CSP has a provisional authorization in the FedRAMP repository, they’re subject to an ongoing assessment and authorization process administered by the FedRAMP Program Office and DHS. They’ll be audited annually by their 3PAO. They’re on the hook for setting up an automated feed that allows FedRAMP and DHS to get real-time information for some key controls. They also have to follow OMB M-07-16 and NIST Special Publication 800-61 to cooperate with the government on incident response.
The whole time, FedRAMP is watching the CSP during this time to determine how things are working out. If they’re unhappy, they may revoke the provisional authorization.
Just kidding! There is none. Remember, only agencies can grant authorizations under FISMA, so the best FedRAMP can do is provide a provisional authorization, which the agencies can use to grant an ATO more quickly.
So FedRAMP obviously can’t put all of this in place tomorrow, so they have a roadmap. I’ll just paste the diagram here for now, it’s pretty self-explanatory.
[The diagrams in the post come from the FedRAMP CONOPS document.]
[Updated 5 March 2012 to incorporate some excellent feedback from mrfisma, which you can find in the comments below.]