To do business with government entities, organizations have to be FedRAMP compliant. With 14 applicable laws and 19 standards, this is one of the more difficult and tedious certifications to get, but can be a huge source of revenue when selling products or services.
Often organizations are not sure where to start and can get lost in the sea of information that exists about FedRAMP. For those interested, below is a high level outline of the process to reach FedRAMP compliance.
FedRAMP stands for the Federal Risk and Authorization Management Program and came to fruition in 2012 with the renaissance of cloud computing. The standard is controlled by the Department of Homeland Security, the General Services Administration, and the Department of Defense. It is a government-wide program that provides a repeatable process for authorizing cloud-based services. FedRAMP is intended to provide a standard for cloud-based services that reduces duplicative efforts and increases overall security posture.
1. Get Assessed
The best way to become FedRAMP compliant is to work with a FedRAMP accredited third-party assessment organization (3PAO). 3PAOs are neutral, outside parties that assess the security of your organization by looking at your infrastructure, policies, procedures, and processes. After, the 3PAO can provide the organization a list of gaps that need to be addressed.
2. Get an SSP
Once an organization addresses gaps identified in a 3PAO assessment, organizations can then submit a System Security Plan (SSP) to the 3PAO for review. The SSP should include a detailed description of the system’s architecture, security controls, and processes. The 3PAO will review the SSP and, once again, provide feedback on any areas that need to be improved.
3. Get Accepted
Once the SSP is approved, organizations can finally submit the SSP to the FedRAMP office for a final review. The FedRAMP office will then review the SSP and determine if the organization is compliant with all of the FedRAMP security requirements. If the organization passes the review, they will be awarded a Provisional Authority to Operate. This authorization is valid for three years and would need to be renewed in order to remain active.
4. Get Consistent
However, it doesn’t stop there. Organizations must continue conducting regular security assessments, monitoring security incidents, and providing training to employees to remain on good terms with FedRAMP. Organizations should be following the NIST 800-53 control framework, as this set of security controls helps protect the integrity of the organization’s information.
FedRAMP is more than just checking a box; it’s a whole way of operating and doing business. Sometimes this process takes years for organizations to get right. Currently only about 200 organizations have FedRAMP compliance. Your journey might look a little different than what was outlined above and there are a variety of different challenges organizations face to reach compliance, but the journey is truly worth it in the end.