Cybersecurity

Why FedRAMP should matter to you

FedRAMP logo -- GSA image

FedRAMP. If you haven’t yet heard of it, consider this your call to action. 

The Federal Risk and Authorization Management Program (FedRAMP) develops tough security standards that form the basis of its certification protocol for cloud services providers (CSPs). Beginning in June 2014, all CSPs that deliver, or plan to deliver, services to the federal government will be required to obtain FedRAMP certification.

That certification process can be lengthy and complicated. It takes six to 12 months to complete an application, which is followed by an independent third-party evaluation. Both phases of the process must be completed successfully in order to obtain certification.

FedRAMP offers a clearinghouse to determine which providers are most suitable for multiagency use, and the process is designed to find solutions that align with many different agency needs. The needs of one agency may not reflect what another agency requires; FedRAMP certification provides a well-vetted selection of CSPs for all federal agencies to choose from.

Demand from CSPs hoping to complete the certification process is high, but rigors of the FedRAMP process ultimately deny certification to all but the best prepared and most flexible providers.The certification process can be daunting – not all providers are afforded the opportunity to complete certification. To date, only nine CSPs have achieved FedRAMP certification; IBM is the most recent provider to join the ranks.

The six steps outlined below offer helpful guidelines to enable providers to navigate through the process.

-- Clearly understand the entire process, including all requirements.  CSPs must ensure all FedRAMP requirements are within the context of their technology environments and their business knowledge. They must have demonstrable understanding of and expertise in their respective industries, and they must prepare well in advance of the deadline. CSPs that begin the certification process without sufficient preparation are sure to face a more-protracted process. For providers that intimately understand what the certification process means for their particular organizations, the process will be much easier to complete.

-- Use the materials available at FedRAMP.gov. The website provides various documents, reference materials, templates, and webinars designed to familiarize prospective providers with FedRAMP requirements. In-depth research now can help lay the groundwork for a successful application.

-- Plan to attend at least one monthly document workshop. FedRAMP hosts events each month to educate providers about the certification process and the requisite documents required for a successful application. The workshops also provide a forum to answer questions about the process and troubleshoot difficulties organizations may encounter as they move through it. 

-- Determine eligibility for a federal agency sponsor. For providers with existing agency relationships or with expressed interest to purchase services from a federal agency, sponsorships may be available.  Sponsorships allow providers to go through the certification process through a particular agency rather than applying directly on their own. While a sponsorship can greatly reduce the amount of time providers spend participating in the process, they can also limit the inter-agency applicability of services and ultimately hinder a successful certification. Again, a solid understanding of how a provider’s services fit within broad-based multiple agency requirements will help providers decide whether it’s best to seek a sponsorship or apply independently. 

-- Get to Know the FedRAMP system security plan (SSP). The SSP is a critical component of the FedRAMP certification process. It provides a 400-page template that all CSPs must use to furnish information on their system inventories, boundaries and controls. Completed SSPs must meet 298 control requirements as outlined by the National Institute of Standards and Technology. The importance of the SSP cannot be overstated; incomplete or inaccurate SSPs can stall the application process significantly. In fact, FedRAMP will not assign CSPs to an information security system officer for a formal assessment until the SSP is complete. Companies that invest in the research of and preparation for all FedRAMP requirements will be able to identify gaps and other weak areas in their applications that might require additional support, making the process faster and more efficient.

-- Engage a reputable third-party organization (3PAO) to perform the FedRAMP assessment. CSPs are free to engage any third-party they choose, so it’s best to choose a provider that understands how a particular business works and the benefits it can offer government markets. It also helps to choose a provider early to support and coordinate efforts throughout the process.  3PAOs will perform initial and ongoing independent validation of the security abilities CSPs have in place in addition to the ones they will need to implement in order to achieve certification. The successful verification of the CSP by the 3PAO is the final step in the certification process.

June 2014 is just around the corner. The deadline is looming, and CSPs cannot afford to wait to begin the process. Understanding FedRAMP requirements up front will enable CSPs to move through the process seamlessly and efficiently. 

About the Author

Paul Nguyen is President of Global Cyber Solutions at CSG Invotas (NASDAQ: CSGS), a global provider of interactive transaction-driven solutions and services.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.

Featured

  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from Shutterstock.com

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Tue, Jan 12, 2016 Aimee McLaughlin

"Plan to attend at least one monthly document workshop. FedRAMP hosts events each month to educate providers about the certification process and the requisite documents required for a successful application. The workshops also provide a forum to answer questions about the process and troubleshoot difficulties organizations may encounter as they move through it. " - I have never seen any information on the FedRAMP website about monthly workshops. Is this accurate?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group