Why FedRAMP should matter to you
- By Paul Nguyen
- Feb 11, 2014
FedRAMP. If you haven’t yet heard of it, consider this your call to action.
The Federal Risk and Authorization Management Program (FedRAMP) develops tough security standards that form the basis of its certification protocol for cloud services providers (CSPs). Beginning in June 2014, all CSPs that deliver, or plan to deliver, services to the federal government will be required to obtain FedRAMP certification.
That certification process can be lengthy and complicated. It takes six to 12 months to complete an application, which is followed by an independent third-party evaluation. Both phases of the process must be completed successfully in order to obtain certification.
FedRAMP offers a clearinghouse to determine which providers are most suitable for multiagency use, and the process is designed to find solutions that align with many different agency needs. The needs of one agency may not reflect what another agency requires; FedRAMP certification provides a well-vetted selection of CSPs for all federal agencies to choose from.
Demand from CSPs hoping to complete the certification process is high, but rigors of the FedRAMP process ultimately deny certification to all but the best prepared and most flexible providers.The certification process can be daunting – not all providers are afforded the opportunity to complete certification. To date, only nine CSPs have achieved FedRAMP certification; IBM is the most recent provider to join the ranks.
The six steps outlined below offer helpful guidelines to enable providers to navigate through the process.
-- Clearly understand the entire process, including all requirements. CSPs must ensure all FedRAMP requirements are within the context of their technology environments and their business knowledge. They must have demonstrable understanding of and expertise in their respective industries, and they must prepare well in advance of the deadline. CSPs that begin the certification process without sufficient preparation are sure to face a more-protracted process. For providers that intimately understand what the certification process means for their particular organizations, the process will be much easier to complete.
-- Use the materials available at FedRAMP.gov. The website provides various documents, reference materials, templates, and webinars designed to familiarize prospective providers with FedRAMP requirements. In-depth research now can help lay the groundwork for a successful application.
-- Plan to attend at least one monthly document workshop. FedRAMP hosts events each month to educate providers about the certification process and the requisite documents required for a successful application. The workshops also provide a forum to answer questions about the process and troubleshoot difficulties organizations may encounter as they move through it.
-- Determine eligibility for a federal agency sponsor. For providers with existing agency relationships or with expressed interest to purchase services from a federal agency, sponsorships may be available. Sponsorships allow providers to go through the certification process through a particular agency rather than applying directly on their own. While a sponsorship can greatly reduce the amount of time providers spend participating in the process, they can also limit the inter-agency applicability of services and ultimately hinder a successful certification. Again, a solid understanding of how a provider’s services fit within broad-based multiple agency requirements will help providers decide whether it’s best to seek a sponsorship or apply independently.
-- Get to Know the FedRAMP system security plan (SSP). The SSP is a critical component of the FedRAMP certification process. It provides a 400-page template that all CSPs must use to furnish information on their system inventories, boundaries and controls. Completed SSPs must meet 298 control requirements as outlined by the National Institute of Standards and Technology. The importance of the SSP cannot be overstated; incomplete or inaccurate SSPs can stall the application process significantly. In fact, FedRAMP will not assign CSPs to an information security system officer for a formal assessment until the SSP is complete. Companies that invest in the research of and preparation for all FedRAMP requirements will be able to identify gaps and other weak areas in their applications that might require additional support, making the process faster and more efficient.
-- Engage a reputable third-party organization (3PAO) to perform the FedRAMP assessment. CSPs are free to engage any third-party they choose, so it’s best to choose a provider that understands how a particular business works and the benefits it can offer government markets. It also helps to choose a provider early to support and coordinate efforts throughout the process. 3PAOs will perform initial and ongoing independent validation of the security abilities CSPs have in place in addition to the ones they will need to implement in order to achieve certification. The successful verification of the CSP by the 3PAO is the final step in the certification process.
June 2014 is just around the corner. The deadline is looming, and CSPs cannot afford to wait to begin the process. Understanding FedRAMP requirements up front will enable CSPs to move through the process seamlessly and efficiently.
Paul Nguyen is President of Global Cyber Solutions at CSG Invotas (NASDAQ: CSGS), a global provider of interactive transaction-driven solutions and services. Paul specializes in governance, risk, compliance solutions, information management, and information security strategy for global communications and systems integration organizations that have included KCG, Neohapsis, Deloitte, Symantec, BearingPoint, and Telcordia. He is a well-known cybersecurity expert and frequent contributor to media outlets such as CSPAN, ISC2, WashingtonExec, Government Executive, Federal Computer Week, and Government Computer News. He has published numerous articles, white papers, and security assessments to the federal government and commercial clients.