The Federal Risk and Authorization Management Program (FedRAMP) Overview
FedRAMP applies to any cloud service or solution provider aiming to work with the U.S. federal government. In 2011, the National Institute of Standards and Technology (NIST), the General Services Administration (GSA), the Department of Defense (DOD), the Department of Homeland Security (DHS) and other government agencies collaborated to develop the framework. As a result, the government-wide program establishes a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP, like other federal frameworks such as FISMA, ties to the NIST 800-53 control library. However, FedRAMP includes additional controls regarding the unique aspects of cloud computing, enhancing the standard baseline controls. Furthermore, FedRAMP is divided into 3 levels of risk impact. The levels are used to determine the set of controls an organization must adhere to, depending on their inherent risk. See left column for additional details.
Process for a FedRAMP certified Cloud Service Provider (CSP):
- Pre-Authorization – Confirm an interest from a potential sponsor agency. Develop a relationship with a 3rd Party Authorizing Organization (3PAO).
- Authorization – Kickoff meeting with agency, 3PAO, and Project Management Office (PMO). CSP completes System Security Plan (SSP). 3PAO completes testing and submits the Security Assessment Report (SAR). CSP builds Plan of Action & Milestones (POA&M). Authorization decision.
- Post-Authorization – CSP provides monthly continuous monitoring reports to prove compliance.
- “Do Once, Use many Times” – Once authorized, CSP can be used by other agencies. Listing on FedRAMP Marketplace.
Ongoing compliance with FedRAMP requirements is a constant concern for all cloud service providers. As such, continuous monitoring deliverables must be presented to and reviewed by the Government Agency (or Agencies) that are using the service. Further, agencies submit quarterly reports of all existing cloud services being used that do not meet FedRAMP requirements. And, if the agency and provider cannot provide sufficient rationale and a proposed resolution plan, the provider will be deemed non-compliant and their contract is jeopardized.
FedRAMP was designed to mitigate agencies’ risk, but also provide an easy way to acquire authorized cloud services. If a CSP is already FedRAMP approved, the only step left is to issue a new Authority to Operate (ATO). This prevents CSPs and Agencies from duplicating work that has already been done as part of the initial authorization. To say the least, this makes security professional’s lives easier, and saves everyone time and money. Additionally, once a service offering is authorized, it is listed in the FedRAMP Marketplace, a common source for government work.
Your FedRAMP Solution: Q-Compliance
Q-Compliance is purpose-built to help you streamline and automate complex cybersecurity auditing and compliance requirements like FedRAMP. As a native Splunk solution, Q-Compliance leverages continuous monitoring and reporting to ensure compliance in real-time.
Qmulos makes ongoing FedRAMP compliance easy with automated alerting tied to passing and failing controls. If a control fails, a detailed report with actionable information to address the issue is generated. The solution gives the user the ability to upload policy, procedure and file evidence as well as automatically log human activity, and keeps evidence needed for future audits all in one place.
The FedRAMP dashboard helps you track how your organization and systems are scoring against each control category, and where you need to improve to pass an audit. Additionally, the dashboard provides the ability to quickly drill into specific domains to view compliance against the capabilities, practices, and processes set forth. Furthermore, you can drill into individual controls to see the specific systems, events, and assets that are non-compliant. The compliance dashboards allow a step-by-step process for drilling into the problem spots within your organization or system.
Additionally, framework specific scorecards (like the one below) provide real time answers to your operational status to prepare for and pass audits. The FedRAMP Risk Scorecard breaks your risk level down into different levels of granularity as you move down the page. Learn more about our Risk Scorecards in our Q-Compliance V3.3 Product Release.
In conclusion, Q-Compliance makes keeping up with FedRAMP and maintaining compliance with other standards like NIST 800-53 simple. If there are further questions or you’d like to see a demo, contact sales@qmulos.com to learn more about our capabilities.