Trend watchers have long predicted agencies are poised for cloud adoption. The claim has merit as the cloud delivers increased flexibility and mobility, better security monitoring, quicker disaster recovery, and reduced costs. Risk management providers spotted the coming opportunity and began positioning services and products for the inevitable partnerships awaiting it in the cloud. When the Department of Defense announced in 2017 it would embrace cloud computing, many saw it as a further sign that other agencies might follow suit.

The government has urged the private sector to offer agencies secure cloud solutions through the Federal Risk and Authorization Management Program (FedRAMP), which establishes baseline standards for security assessment, authorization, and continuous monitoring for cloud service providers (CSPs).

Achieving accreditation is no easy task – a reality that FedRAMP acknowledges as it strives to improve its program. For most providers, it is an intensive but worthwhile undertaking that helps to refine internal security and increased rigor, essential for maintaining CSP status.

For those providers that plan to pursue FedRAMP accreditation for their services, below are six key considerations to help guide FedRAMP accreditation efforts.

Consideration 1: Which type of cloud services are eligible for accreditation?

The cloud services eligible for accreditation include Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).

IaaS

The IaaS CSP will supply everything in the IT stack up to the operating system (OS), managing storage resources, replication backup and archiving computer resources provided by servers, and connectivity domains. The IaaS CSP has a limited set of NIST 800-53 controls to manage for FedRAMP accreditation. Choosing to offer IaaS may limit your potential client base, as many prefer to offload platform responsibilities to focus on software applications.

PaaS

The PaaS CSP supplies all IaaS services plus the OS, middleware (web and application servers), and runtime application programming interface. This offering attracts a larger base of clients interested in hosting their SaaS applications. The PaaS CSP must implement more NIST 800-53 FedRAMP security controls than an IaaS CSP, including application-level controls. This would increase responsibilities, resources, and cost to complete FedRAMP accreditation and implement continuous monitoring.

When weighing whether to offer IaaS or PaaS, know that the market is dominated by big players such as Amazon Web Services (AWS), Google, Oracle, and Microsoft. Before pursuing either accreditation, first analyze the feasibility of any successful business opportunities.

SaaS

SaaS is the most common FedRAMP accreditation, with the SaaS CSP hosting its cloud application on any of the FedRAMP-accredited IaaS or PaaS CSPs, such as Amazon Web Services (AWS) or Microsoft Azure. This accreditation focuses the SaaS CSP’s responsibility to the application controls only, with most of the remaining controls inherited from the FedRAMP accredited host.

Consideration 2: Which level of accreditation?

Not all applications are alike or carry the same risk, so FedRAMP created varying levels of accreditation.

FedRAMP Tailored (Low)

CSPs with low-risk applications can pursue authorization using the FedRAMP Tailored baseline, streamlining processes for Low-Impact SaaS (i.e., collaboration tools and project management applications). CSPs can offer low-risk services to agencies but not to those with moderate- or high-risk needs.

Moderate

CSPs with moderate accreditation must adopt 325 NIST 800-53 controls and enhancements to protect client data and investment. This level of accreditation is most commonly sought by agencies, but moderate CSPs cannot host client data with high-level protection requirements.

High

CSPs with high accreditation must implement 421 NIST 800-53 controls to protect client data and investment. This effort is costlier for initial accreditation and for implementing continuous monitoring. However, a high CSP can host clients with all forms of unclassified data – low, moderate and high.

Consideration 3: Which accreditation path?

The main paths to accreditation are the Joint Authorization Board (JAB) Provisional Authority to Operate (P-ATO) and the Agency-Sponsored ATO. Another option is for the CSP to undergo a readiness assessment for later accreditation.

JAB P-ATO

To seek JAB approval for a FedRAMP accreditation requires the CSP to submit a business case to the Program Management Office (PMO). While this path is the most trusted route to FedRAMP accreditation, JAB selects only a dozen business cases for review each year. Conceivably, the process could take years to complete, with the CSP losing valuable time to market services to potential clients. The JAB requires that all controls be implemented, and it does not accept any risk. Due to the high costs, a CSP should only consider this option if it is certain to have interested clients at the end of the process.

Agency-Sponsored ATO

Seeking this option, the CSP must submit the FedRAMP security package, and the sponsoring agency must accredit the CSP for the accreditation package to be approved by the FedRAMP PMO. This typically requires the involvement of a Third-Party Assessment Organization (3PAO) and an ATO is limited to the sponsoring agency. Extending services to other agencies would require re-evaluation and re-engagement of a 3PAO.

Readiness Assessment Report

The CSP can independently pursue a 3PAO Readiness Assessment Report (RAR). The process requires that a 3PAO perform a RAR to ensure a system has the capabilities for later accreditation. The RAR demonstrates a CSP is FedRAMP “Ready” and can give agencies the confidence to sponsor the CSP.

Consideration 4: Should I hire a 3PAO for a pre-assessment?

Hire a 3PAO

The FedRAMP-accredited 3PAO guides the CSP through the FedRAMP security package to ensure it includes the necessary technical details. However, a CSP should weigh the additional costs of hiring a 3PAO.

Complete Package Independently

The CSP documents its information system on its own to avoid the costs of hiring a 3PAO. However, the PMO might reject the CSP’s FedRAMP security package, delaying the assessment and accreditation, adding cost and resources.

Consideration 5: Ready for the assessment – now what?

CSP Selects a 3PAO

FedRAMP mandates CSPs seeking accreditation must engage an accredited 3PAO to independently assess their prepared material, perform vulnerability scans and penetration tests, conduct interviews, and complete all required testing and evaluation.

The CSP must select a 3PAO from the list of FedRAMP-accredited organizations to perform an independent assessment. The PMO then performs its own independent verification of the package. The CSP bears the cost of hiring the 3PAO and conducting the assessment.

Agency Selects a 3PAO

Sometimes the sponsoring agency selects an Independent Assessor to fully assess the CSP’s system, at no cost to the CSP. However, usually, the CSP is required to hire the 3PAO for the assessment.

Regardless of who pays for the 3PAO, the FedRAMP PMO must review and approve the package for final accreditation. The CSP is responsible for addressing PMO requirements and any revisions to earn approval, a process that can take up to six months.

Consideration 6: FedRAMP accredited – what next?

To maintain accreditation, the FedRAMP PMO requires the CSP implement continuous monitoring and undergo annual 3PAO assessments. The CSP must perform a set of tasks on a predefined schedule, such as monthly scans, ongoing Plan of Action and Milestones (POA&M) mitigation, and continuous risk assessment and monitoring. At its expense, the CSP can engage a 3PAO for help with continuous monitoring activities, as defined by FedRAMP, or just for help with the annual assessment.

As you can see, there are many considerations on the path to FedRAMP accreditation. Given the amount of time, money and resources required, it’s key to have your end goal in mind when you start your journey. This way you are best prepared to meet the stringent requirements as efficiently as possible in the least amount of time. Good luck!

Interested in learning more about this topic and others? MISTI's 25th annual InfoSec World Conference & Expo is the perfect in-person opportunity to make that happen.

Kevin Liu