Data security is a major concern for almost everyone. From organizations to individuals, most of us who use or supply cloud-based services want to ensure that our information stays confidential and accessible.
However, these concerns are amplified to national security when government data is the subject. That’s why the U.S .government has a stringent set of security requirements known as FedRAMP®. All cloud vendors that provide services to federal agencies must comply with these standards.
Read on to learn more about FedRAMP and what it entails for cloud service providers.
What is FedRAMP Compliance?
Federal Risk and Authorization Management Program, or FedRAMP, is a standardized security assessment and authorization approach. It was established in 2011 to reduce duplication of effort and unnecessary costs and ensure consistent security assessment. Its goal is to ensure that all federal data has a high level of protection in the cloud.
Getting FedRAMP authorization is a serious process and is arguably the most demanding SaaS certification. There are 14 laws and regulations, plus 19 guidance and standards documents regulating the level of security.
Initially, FedRAMP acceptance was slow. There were only 20 authorized cloud services in the first four years. However, the numbers began to pick up quickly after 2018 when demand grew, and today, there are more than 200 FedRAMP-authorized products. The Joint Authorization Board (JAB) controls FedRAMP and consists of representatives from:
- The Department of Defense (DoD)
- The Department of Homeland Security (DHS)
- The General Services Administration (GSA)
The Federal Chief Information Officers Council also endorses the program.
Why FedRAMP certification matters & how it works
Every cloud service that holds federal data requires FedRAMP authorization. That means that if you want a lucrative federal government contract, FedRAMP is essential for your security plan.
Once you’re certified, your organization is listed on the FedRAMP marketplace. It’s a marketplace that government agencies choose from when looking for a new cloud-based solution. However, it is also open for private individuals to check as well. Many organizations check the website to find a secure cloud product or service source. If you have FedRAMP authorizations, your clients will likely feel more confident about your security protocols — it showcases your ongoing commitment to meeting high-security standards.
Many of your clients may not understand what FedRAMP is exactly. However, many larger organizations in the public and private sectors may see authorization as a deal-breaker.
FedRAMP Compliance requirements
Achieving compliance is a long and rigorous process. However, at a high level, it requires:
- Completed documentation, including FedRAMP SSP
- Controls in compliance with FIPS 199 categorization
- CSO addressed by a third-party assessment organization (or 2PAO)
- A Plan of Action and Milestones (or POA&M)
- Remediate findings
- Either an Agency Authority to Operate (ATO) letter or JAB Provisional ATO
- A Continuous Monitory (ConMon) program with monthly vulnerability scans
Agency vs. JAB Authorization
Two ways to become FedRAMP authorized are through Joint Authorization Board (JAB) provisional authority or a specific federal agency. Here are the differences between the two:
JAB issues provisional authorizations that tell agencies that they have reviewed any risk. It is the first step to full approval and is well-suited for service providers with high or moderate risk. It is also more strenuous because it clears for higher levels of security.
Agency is when a cloud service providers build a relationship with a particular federal agency involved in the process. The agency will then give an Authority to Operate (ATO) letter after successfully completing a partnership establishment, full security assessment and authorization process.
Categories of FedRAMP Compliance
FedRAMP has four impact levels that identify different kinds of risk. They identify the possible impacts of a cyber breach in three critical areas:
- Confidentiality, or proprietary and privacy information protection
- Integrity, or modification or destruction of information protections
- Availability or reliable and timely data access
The first three levels are from the Federal Information Processing Standards (FIPS) 199. The last is a newer category added in 2017 based on NIST Special Publication 800-37. The levels are:
- High. This level is approved for the most sensitive data, where loss could have severe or catastrophic effects. It typically applies to emergency, financial, law enforcement, or health services.
- Moderate. This is where almost 80% of applications are approved. Loss of confidentiality or availability would severely impact operations, assets, or individuals.
- Low. This level means that any loss in confidentiality or availability would have a limited adverse impact on the organization.
- Low-Impact Software-as-a-Service (LI-SaaS). This category was added to make it easier to approve low-risk cases. It’s for use cases such as project management applications, collaboration tools and developing open-source code. It’s also called FedRAMP Tailored.
(Splunk is thrilled to be working towards FedRAMP High authorization, with an official “In Process” designation.)
Tips for achieving authorization
Because of the high standard that FedRAMP represents, achieving authorization can be challenging. Here are some tips for navigating the process and achieving compliance:
- Perform a gap analysis to find any areas in your organization that may need to improve its security controls to meet FedRAMP requirements.
- Get total organization buy-in, starting with the executive leadership. Typically, the process works best when executive leadership agrees together on what value authorization has and gives the directive and invests in it, your team is familiar with IT audits, and your technical team supports the work required to meet federal security standards early in the process.
- Find an agency that will partner with you to issue an ATO. Identify one that is committed to using your product. You can use the FedRAMP PMO to communicate the requirements and responsibilities to your Agency partner if necessary.
- Take your time to define your authorization boundary. It needs to outline your system’s internal connections and components to external systems and services and report the flow of federal metadata and information through your system. It is a core component of your System Security Plan, and it is critical that you accurately illustrate your system’s authorization boundary.
- Stay patient. FedRAMP is a process, not a project with a start and end date. While initial authorization is a milestone, it only showcases your system’s risk posture at one point in time. Your system must be monitored continuously to maintain a consistent, appropriate risk posture.
- Consider your authorization approach if you have more than one product. It might be more effective to go through the authorization process individually instead of all at once.
Perhaps the best tip? Use FedRAMP Program Management Office (PMO) for help. They are a valuable resource with a wealth of information to get you started, discuss strategy and answer your technical questions.
Achieving FedRAMP Compliance for enhanced security
FedRAMP compliance is a rigorous process, but it offers your cloud service provider an opportunity to expand your product to the federal government and showcase your commitment to security to larger customers.
As you contemplate the FedRAMP authorization process, consider whether the agency or JAB path is best for your product. Also, ensure that your entire organization is on board to committing to the process and making the necessary investment and changes to obtain compliance. Also, remember that it is a continuous process that requires an ongoing commitment to monitoring and improving your security measures.
While it may require more work, FedRAMP compliance allows your organization to expand your network and enhance your security.
What is Splunk?
This posting does not necessarily represent Splunk's position, strategies or opinion.