How can you achieve FedRAMP certification?

CSPs receive FedRAMP authorization. At the end of the process, a federal agency authorizes the system for use within their agency with an Authority to Operate (ATO) letter. There are four main phases to become FedRAMP authorized.

How can you stay in compliance with FedRAMP?

CSPs are complete once the ATO is issued. Continuous monitoring is a key component to maintaining FedRAMP authorization. CSPs must continuously: Monitor their environment for vulnerabilities Report the status of previous audit findings and vulnerabilities each month Report new vulnerabilities that aren’t fixed on time Have their 3PAO reassess the environment each year

For how long is FedRAMP authorization good?

Each federal customer will issue their own ATO based on the document package, and each agency can decide the duration of their ATO validation. CSPs should meet with their agency customers each month to communicate the status of current and past vulnerabilities, but also their standing with those customers.

Do you need a sponsor for FedRAMP?

There are two main paths to FedRAMP Authorization. Most CSPs work directly with a federal agency to get through the FedRAMP program. In some cases, CSPs can work with the FedRAMP Joint Authorization Board (JAB) to get a Provisional Authority to Operate (P-ATO). The JAB is comprised of representatives from the General Services Agency (GSA), Department of Homeland Security (DHS), and the Department of Defense (DoD). CSPs working towards FedRAMP but not yet ready for a full assessment can complete a Readiness Assessment Report (RAR) to get listed on the FedRAMP Marketplace as “FedRAMP Ready.”

Article

FedRAMP: FAQs to understand the authorization process

May 8, 2022 · Authored by Christian Hansen

Cloud-based services deliver a variety of on-demand services — applications, development platforms, servers, data storage, and more — to customers over the internet. When the customer is a federal agency, security is essential for the cloud service and the data that’s used and stored.

The government requires cloud service providers (CSPs) used by federal agencies to undergo an authorization process known as FedRAMP.

Following are some commonly asked questions about the program.

What is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program defining standardized security assessment, authorization, and monitoring processes that allow CSPs to be used by all federal agencies.

What are the benefits of FedRAMP for your business?

FedRAMP uses an audit-once, use-many-times methodology.

The streamlined approach allows agencies to save time, money, and effort when using cloud services while also protecting federal information.

What are the FedRAMP control requirements?

FedRAMP control requirements derive from the National Institute of Standards and Technology (NIST) Special Publication 800-53 revision four. The controls are selected based on the risk impact level of the system.

While CSPs can identify the risk level of their system, it’s best to work with your agency customers to identify their specific use case to finalize the system impact level.

Christian Hansen

Principal

FedRAMP: FAQs to understand the authorization process

What is FedRAMP?

What are the benefits of FedRAMP for your business?

What are the FedRAMP control requirements?

Christian Hansen

How can you achieve FedRAMP certification?

1. Control implementation and documentation

2. 3PAO assessment

Control testing

Penetration testing

3. Document evaluation by CSP agency customer

4. PMO review

How can you stay in compliance with FedRAMP?

For how long is FedRAMP authorization good?

Do you need a sponsor for FedRAMP?

Have questions? Baker Tilly can help.