I am delighted that Schellman is now an accredited FedRAMP 3rd Party Assessment Organization (3PAO). This is a testament to our extensive experience in the cloud service provider (CSP) space and the qualifications and experience of a licensed CPA firm, PCI QSA company, and ISO 27001 certification body.
FedRAMP is a new federal government program with significant complexity pertaining to the overall authorization process, the assessment of CSPs, and how to attain, authority to operate (ATO) from a federal agency. As one of the initial 3PAOs selected, Schellman recognizes its responsibility to educate the CSP community about FedRAMP.
Over the coming months, you will hear from us on a variety of FedRAMP topics as we publish whitepapers; additional articles, and provide no-cost educational webinars. In addition, Schellman will provide one-on-one consultations with any CSP considering FedRAMP validation.
As an initial starting point, I have assembled what I believe to be the first five things a CSP should know when considering FedRAMP.
1. FedRAMP is an assessment program for any CSP seeking to provide services to federal agencies.
FedRAMP provides a standardized approach for baseline security assessment, authorization, and continuous monitoring of cloud products and services. This new federal program is part of an overall strategy to reduce time and cost commitments incurred by agencies and CSPs. Its “do once, use many times” framework reduces inefficiencies resulting from redundant agency security assessments.
2. FedRAMP will be mandatory for CSPs
While the deadline for implementation has not been finalized, FedRAMP is expected to be mandatory within the next three years. However, “early adopters” are already starting the application process.
3. FedRAMP may be the most comprehensive audit your organization ever goes through.
Make no mistake; the assessment and the required preparation are extensive. CSPs are required to adhere to a FedRAMP modified version of the NIST 800-53 control set which includes 296 controls across 17 domains.
For the actual assessment, Schellman largely assumes responsibility for three major deliverables: the security assessment plan (SAP), security assessment report (SAR), and security assessment test cases, which document the testing of the above mentioned controls.
The CSP has responsibility for four noteworthy deliverables during the initial application process and approximately 12 others as part of the initial assessment. This is in addition to documenting in-place security policies, procedures, and standards. These detailed requirements are listed in section 10 of the FedRAMP Concept of Operations document and described further in various sections therein. I highly recommend that any CSP considering FedRAMP authorization immediately read this “ConOps” document.
4. FedRAMP is not FISMA and CSPs are not FISMA-Certified.
The Federal Information Security Management Act (FISMA) is the regulation with which agencies must comply. As part of their compliance, the agency is expected to assess the security of their third party service providers. FedRAMP is a mechanism that allows agencies to bypass certain baseline controls testing by individual federal agencies. The FedRAMP process does not result in a certification of any kind. Furthermore, there is no such thing as FISMA “certified”.
5. A successful 3PAO assessment does not guarantee provisional authorization or ATO.
During the initial application process, CSPs are placed in prioritization by of the FedRAMP program management office (PMO). An assessment cannot begin until the Joint Authorization Board (JAB) reviews the initial application and provides an approval to proceed with the process.
When the assessment is complete, the CSP submits the assessment reports and other documents as part of the authorization package. The FedRAMP JAB performs an extensive review and, if approved, provides provisional authorization to the CSP. Provisional authorization means that the FedRAMP PMO has verified the CSP’s compliance with FedRAMP requirements and listed the CSP on the centralized list of providers with provisional authorization. Agencies will utilize that list as a starting point for to source cloud services. Then, each agency must review the package and can decide if it wishes to grant ATO. The agencies are free to impose additional requirements or request additional information as part of that process.
FedRAMP is a complex program with many moving parts. Therefore, it is very important to select a 3PAO that has in-depth expertise within the CSP space, experience reviewing and testing internal controls, specifically security controls, and the ability to provide other leveraged services to integrate compliance efforts.
Schellman is actively working with many of our clients as they prepare for FedRAMP. We provide executive orientation, on-site training and webinars, scoping and gap analysis. NIST 800-53 benchmarking, initial 3PAO security assessment, and mandatory annual 3PAO reassessment.
Additional information may be found on Schellman’s website or on the FedRAMP website. I recommend that you check both frequently. Since FedRAMP is a new program, we expect a significant amount of new guidance to be posted over time. Please contact us today if we can assist you.