Cybersecurity audit and advisory. PHOTO: Sera-Brynn.

FedRAMP: A Heavyweight Security Framework for Cloud Service Providers

How the FedRAMP rules came into being … and how the program interplays with FISMA, RMF, NIST 800-53, SOC 2, ISO 27001, and others.

Rob Hegedus, CEO at Sera-Brynn

Suffolk, Va. – Jan. 2, 2019

The first rule of FedRAMP is …

You do not talk about FedRAMP! (That’s of course a quote from Fight Club, a movie about an insomniac office worker looking to shake things up with, well … fighting.) The real first rule about FedRAMP is that it’s a certification companies should get if they want to prove that their cloud services and products are secure enough for U.S. government data.

The U.S. government strives to use a mix of commercial cloud technologies, private government clouds, and regional state and local government clouds. FedRAMP, or the Federal Risk and Authorization Management Program, certifies both public and private sector cloud service providers (CSP). It is rigorous. The assessment must be done by an authorized assessor. The process to become that authorized assessor is also rigorous. So, if you want to get in the ring and become a FedRAMP-authorized CSP or assessor, be prepared: it may not be a slugfest, but it’s challenging.

This edition of the Sera-Brynn Compliance Report aims to explain how the FedRAMP rules came into being … and how the program interplays with FISMA, RMF, NIST 800-53, SOC 2, ISO 27001, and other security frameworks.

But first, who should care about FedRAMP and why?

CSPs – Cloud Service Providers have the biggest stake here. If they want to build a trusted and compliant cloud solution to sell to government agencies, understanding FedRAMP is a must.

3PAOs – Third Party Assessment Organizations (like Sera-Brynn) must follow complex FedRAMP rules, templates, and standard-reporting tools to assess and validate CSPs. 3PAOs should understand the history of the program, as well as how emerging regulations impact its implementation. Overlapping compliance mandates cause real world problems.

Government contractors and employees working with FedRAMP-authorized products and services. Get smart(er). Why not?

Other organizations – FedRAMP is essentially a risk management tool and security framework. If your organization is implementing or considering NIST 800-171, NIST 800-53, ISO 27001, or any other cybersecurity framework, then general knowledge of the FedRAMP levels and security controls is beneficial.

FedRAMP: The Timeline

1) Before FedRAMP, there was FISMA. FISMA, or the Federal Information Security Management Act, was passed in 2002.  FISMA 2002 defined the IT security requirements for federal agencies. FISMA stated that each federal agency must develop, document, and implement an agency-wide program to provide information security to protect their data and systems.

2) NIST enters the ring. Under FISMA 2002, NIST, or the National Institute of Standards and Technology, was required to produce several key security standards (for agencies) to support and implement FISMA. The project was called The FISMA Implementation Project. NIST subsequently created: FIPS 199, FIPS 200, and NIST Special Publications (SP) 800-53, 800-59, 800-60. Then NIST began developing NIST SP 800-37, 800-39, 800-171, 800-53A and NIST Interagency Report 8011.

3) In 2010, NIST published NIST SP 800-37 revision 1 – the guidelines for applying the Risk Management Framework (RMF) to federal information systems. The RMF provides a process that integrates security and risk management activities into the system development life cycle. The six-step RMF includes security categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. It’s used to manage organizational risk.

4) In 2011 FedRAMP, or the Federal Risk and Authorization Management Program, was introduced. From the federal government’s perspective, FedRAMP is a risk management tool. The program created a process for agency and private sector CSPs to attain certification, so they can store government data. FedRAMP is essentially a subset of NIST 800-53 security controls specifically selected to provide protection in cloud environments. FedRAMP mirrors FISMA in that the risk levels and corresponding security controls are based on NIST 800-53. But where FISMA was written for only federal agencies, FedRAMP was written for the private sector too. The idea is that if a company is selling IT-based cloud services to one federal agency, then they can sell to all. Before this, each agency created their own security requirements based on FISMA.  Not convenient. Not cost-effective.

5) In 2014, FISMA 2002 was amended. The new Federal Information Security Modernization Act of 2014 (FISMA 2014) updated the informational security requirements for federal agencies. It also clarified and codified the roles of the Department of Homeland Security (DHS), OMB, and Director of National Intelligence (DNI).

6) In 2013, NIST 800-53 revision 4 was released.

7) In 2015, GSA adds Cloud Special Item Number (SIN) 132-40 to IT Schedule 70. There are several sub-categories: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS).

8) In 2017, NIST released its proposed revision 5 to SP 800-53. This revised guidance will still only apply to federal systems, but it’s intended to be more accessible to non-federal and private sector organizations that want to implement in.

9) In 2018, FedRAMP announced it achieved the milestone of 100 Cloud Service Provider (CSP) authorizations. There are some big names on this list – AWS, SalesForce, Adobe – as well as a range of newer cloud solutions. A full list of all FedRAMP-authorized clouds can be found on the FedRAMP Marketplace webpage.

10) Today. As of now, the government has five of their own FedRAMP-authorized clouds.  Sera-Brynn is the 3PAO for two of the five government private clouds in the FedRAMP marketplace. 

11) The Future. The FedRAMP Project Management Office states it will have periodic updates to documents available for public comment with advanced notice. To learn more, visit www.fedramp.gov.

As a side note, 2019 marks the 20-year anniversary of the Oscar-nominated movie, Fight Club. Absolutely nothing to do with FedRAMP, but if you have read this far already, you may as well know.

FedRAMP and Other Security Frameworks

For cloud service providers, choosing security frameworks and certifications involves marketing strategy. For cloud service providers that market their products and services to the federal government, FedRAMP is a natural fit. For instance, Microsoft has FedRAMP-authorized cloud services. AWS cloud services promote its FedRAMP-authorized status. Salesforce Government Cloud markets it. IBM Cloud’s FedRAMP authorization is displayed alongside its other certifications. Google Cloud lists 31 different standards, regulations, and certifications that it adheres to (including FedRAMP).

For companies that don’t market to the government, other security frameworks (like SOC 1, 2, 3, ISO 27001, or PCI) may be more advantageous, achievable, cost-effective, or impactful.

Despite what security measures a cloud-based business, service provider, or any SaaS or PaaS provider takes, a shared goal is demonstrating trustworthiness. How security is implemented behind the scenes takes many forms.

For More Information

To learn more about FedRAMP and how Sera-Brynn’s service can help, email fedramp@sera-brynn.com.

Compliance Report Archives

Rob Hegedus is CEO at Sera-Brynn, a global Cybersecurity Audit and Advisory firm.

Contributors: Colleen H. Johnson, Senior Cyber Legal Analyst at Sera-Brynn, contributed to this story.

Sera-Brynn is a global cyber risk management audit and advisory firm. Founded in 2011 by former members of the U.S. intelligence community, Sera-Brynn’s clients include many of the world’s most admired and recognized brands.