The U.S. government is the largest buyer of goods and services in the world. Doing business with federal agencies requires businesses to meet strict compliance standards. FISMA and FedRAMP possess the same high-level goals of protecting confidential government data and minimizing information security risks across federal information systems. Learn more about FISMA and FedRAMP, the differences between them, and why it is important to meet compliance.

What is FISMA?

The Federal Information Security Management Act (FISMA) is a federal law passed in 2002 that provides security standards and guidelines that federal agencies are required to meet. FISMA calls on agencies to develop, document, and implement an information security program to protect sensitive government information and operations. Modified in 2014, FISMA emphasizes the importance of continual monitoring. .

Similar to other federal cybersecurity laws, FISMA enforces a rigorous set of rules designed to establish standards for IT departments in federal agencies to follow. Although FISMA was initially written to impose security standards on federal agencies, it also affects some private companies. Under FISMA, an Authorizing Official (AO) is responsible for determining if an information system complies with FISMA standards, regardless of whether the system is run by a federal agency or a private federal contractor.

What is FedRAMP?

The Federal Risk and Management Program (FedRAMP) is a cybersecurity risk management program used by U.S. government agencies that buy and use cloud-based products and services. Cloud service providers (CSPs) must obtain FedRAMP authorization before they can work with federal agencies. FedRAMP was implemented by the Office of Management and Budget (OMB) in response to the 2011 Cloud First Policy.

Requirements under FedRAMP are outlined in NIST 800-53, which represents the gold standard in cybersecurity. Authorization is only granted to CSPs through the FedRAMP Authority to Operate (ATO).

To achieve authorization and compliance, a CSP must complete all applicable FedRAMP documentation, implement controls in compliance with FIPS 199 categories, undergo an assessment by a third-party assessment organization (3PAO), and develop a Plan of Action and Milestones (POA&M). Next, they must obtain approval from the Joint Authorization Board (JAB), Provisional ATO (P-ATO) or Agency ATO, and finally implement a Continuous Monitoring (ConMon) program.

What are the Differences?

Both FISMA and FedRAMP reference the standards of NIST 800-53, but each has different objectives. While FISMA provides security guidelines to government agencies on how to keep data protected, FedRAMP provides security guidelines on how to protect sensitive government data to agencies looking to utilize a CSP. FedRAMP is essentially the CSP version of FISMA.

There is also a difference in the assumption of risk between FISMA and FedRAMP. With FISMA, the federal agency that uses a CSP assumes all risks associated with outsourcing information system management. Government agencies may require businesses to meet FISMA standards and CSPs may also be required to meet certain agency-specific standards. Some CSPs are required to complete multiple security assessments across several agencies to maintain an ATO.

Information systems that are evaluated under both FISMA and FedRAMP are categorized per FIPS 199 as either low, moderate or high. Based on the security categorization, further security controls from NIST SP 800-53 are applied as either low impact, moderate impact or high impact. However, FedRAMP requirements include several additional controls outside of the standard NIST baseline controls. These extra controls address various elements of cloud computing to ensure that data remains secure in cloud-based environments.

Certain requirements also differ between FISMA and FedRAMP. Cloud service providers seeking FedRAMP authorization must first pass a third-party security assessment. Although all federal agencies must undergo an independent assessment of their security control implementation, FedRAMP is the only type of implementation that currently requires a 3PAO assessment. Cloud service providers can obtain an ATO from the government in two ways: Joint Authorization Board Provision ATO (JAB P-ATO) or FedRAMP ATO.

Speak with the NYC IT Experts at SeaGlass Technology

Federal agencies in search of a FedRAMP-compliant CSPwill likely expect it to also be FISMA-compliant. It is important for CSPs to comply with both FISMA and FedRAMP standards and regulations to maintain an ATO from the federal government. The IT experts at SeaGlass Technology can help organizations become compliant through services like advisory consulting. For more information about the differences between FISMA and FedRAMP, schedule a consultation with SeaGlass Technology today.

The post FISMA Versus FedRAMP: What Are The Differences? appeared first on SeaGlass Technology.

FedRAMP enables the federal government to accelerate the adoption of cloud computing technologies by establishing transparent processes and standards for security authorizations. Learn more about obtaining FedRAMP compliance and the importance of becoming FedRAMP certified.

What is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) is a program used to evaluate and authorize cloud service providers’ (CSPs) service offerings. This in-depth and rigorous process was established in 2011 by the Office of Management and Budget to create a risk-based, cost-effective approach to the adoption of cloud-based services by the federal government.

Only cloud service providers with FedRAMP certification can work with government agencies in the U.S. The program was initiated in response to the government’s 2011 Cloud First Policy. Before a cloud service offering (CSO) can be used by a federal agency, it must first demonstrate that it meets FedRAMP compliance requirements. Each requirement is outlined in NIST 800-53 and further supplemented by the FedRAMP Program Management Office (PMO).

To achieve FedRAMP compliance and authorization, CSPs must achieve the following high-level requirements:

• Complete FedRAMP documentation including FedRAMP SSP
• Implement controls that comply with FIPS 199 categorization
• Undergo assessment of cloud offerings by a FedRAMP third-party assessment organization (3PAO)
• Develop a Plan of Action and Milestones (POA&M)
• Acquire Joint Authorization Board (JAB), Provision ATO (P-ATO), or Agency ATO
• Establish a Continuous Monitoring (ConMon) program that includes monthly vulnerability scans

Why is FedRAMP Compliance Important?

Becoming a FedRAMP-certified organization is critical for the success of any cloud service provider that wishes to work with the federal government. Here are some of the reasons why obtaining FedRAMP compliance is important for CSPs.

1. Confidently Sell Services to the Federal Government

FedRAMP has become mandatory for all cloud services used by the federal government, meaning that if a CSP wishes to work with a government agency, FedRAMP authorization must be an essential part of their security plan. Cloud service providers that do not obtain FedRAMP compliance are potentially missing out on a significant revenue stream.

2. Establish Confidence in the Security of Services

Cloud service providers are responsible for handling sensitive government information. Obtaining FedRAMP authorization shows that the business has strived to meet the highest standards in cloud security. Customers are more likely to put their trust in a provider that has met compliance requirements and is considered secure enough to do business with agencies like the Department of Defense (DOD) and Department of Justice (DOJ).

3. Get Listed on the FedRAMP Marketplace

FedRAMP-authorized businesses can attract more attention when they become listed on the FedRAMP Marketplace. The marketplace is often the first place that government agencies go when they want to find a new cloud-based solution. Agencies often prefer choosing a CSP from the FedRAMP Marketplace as it is faster and easier than starting the authorization process from scratch with a new vendor.

4. Reuse FedRAMP Assessments Across Multiple Agencies

Although obtaining FedRAMP compliance can be a long and tedious journey, it is not a process that needs to be completed frequently. Just one assessment is required to gain an Authority to Operate (ATO) from several federal agencies. After completing an assessment, it is posted to the Office of Management and Budget (OMB) Max repository where the package can be reviewed by other federal agencies and granted an ATO based on the review.

5. Aid in IT Modernization and Transformation

Cloud service providers that obtain FedRAMP compliance are doing their part to help with IT modernization and transformation. FedRAMP enables agencies to quickly adapt from old and insecure legacy IT to cost-effective, mission-driven, cloud-based IT. With FedRAMP, government agencies can ensure effective and repeatable cloud security through a core set of stringent processes.

6. Simplify Security for the Digital Age

Technology is continually evolving and businesses must keep pace or risk falling behind their competitors. FedRAMP helps to simplify security for the digital age by delivering a standardized approach to cloud security. Some examples of FedRAMP-authorized solutions include virus scanning, continuous monitoring, IP whitelisting, audit trail, incident response plan, vulnerability scanning, and intrusion detection.

Getting FedRAMP authorization can be a difficult endeavor as there are 14 applicable laws and regulations that businesses must meet, along with 19 standards and guidance documents. FedRAMP is considered one of the most rigorous software-as-a-service certifications in the world and just over 200 cloud service offerings have been authorized since the start of the program.

Schedule a Consultation with SeaGlass Technology

SeaGlass Technology is a leader in IT cloud services and can help your organization become compliant through services like advisory consulting and readiness assessments. Contact our NYC team of certified technicians today to get started.

The post The Importance Of Obtaining FedRAMP Compliance appeared first on SeaGlass Technology.

Why Is FedRAMP Certification Important?

Cloud services that hold or store federal data require FedRAMP authorization, meaning any business that wants to work with the federal government must include FedRAMP authorization as part of their security plan.

Acquiring FedRAMP certification is important as it ensures consistency in the security of cloud services used by the government. It creates a single set of standards for all cloud providers and government agencies which helps instill confidence in clients through stringent security protocols.

When cloud service providers become FedRAMP authorized, they are listed in the FedRAMP Marketplace. This platform is the first place that government agencies look when sourcing a new cloud-based solution.

Most government agencies find it faster and easier to use a cloud-based product that has already been authorized than to start the process from scratch with a new vendor. Therefore, achieving FedRAMP compliance and getting listed in the FedRAMP Marketplace can be a highly profitable endeavor.

What Are The Three FedRAMP Impact Levels?

FedRAMP currently authorizes cloud service providers at low-, moderate- or high-impact levels:

Low-Impact Level

Low-impact level is suitable for cloud service offerings (CSOs) where the loss of integrity, confidentiality, and availability would have limited adverse effects on a government agency’s assets, individuals, and operations.

There are currently two baselines for systems that fall under FedRAMP low-impact level: LI-SaaS Baseline and Low Baseline. Low baseline SaaS applications that do not store personally identifiable information (PII) with the exception of what is required for login capability fall under the LI-SaaS Baseline.

Mandatory security documentation is consolidated and the number of security controls required for testing and verification is lowered relative to Low Baseline authorization.

Moderate-Impact Level

Moderate-impact systems make up nearly 80 percent of CSP applications and are most appropriate for cloud service offerings where the loss of integrity, confidentiality, and availability would likely result in serious adverse effects on an agency’s assets, individuals, or operations. Some of these adverse effects could cause substantial operational harm to an agency’s finances, assets, or individuals. Under the moderate-impact level, there is no loss of life or physical information.

High-Impact Level

High-impact data is usually found in financial systems, law enforcement and emergency systems, health systems, and similar areas where the loss of integrity, confidentiality, or availability could have catastrophic adverse effects on a business’ organizational assets, operations, or individuals.

FedRAMP’s High Baseline was created to protect the government’s most sensitive, unclassified data in cloud-based computing environments. This includes data that could protect life and prevent financial ruin.

How Is A Target FedRAMP Impact Level Achieved?

Once the appropriate target FedRAMP impact level is determined, businesses can take the necessary steps to achieve compliance. The authorization process typically occurs in four main phases: plan, assess, authorize, and monitor.

1. Plan

The first stage in the authorization process involves planning and documenting. CSPs must first establish a partnership with a federal agency that is interested in using the product.

Next, determine what approach the business will use to achieve authorization. The two main paths to authorization involve getting a Provisional Authority to Operate (PATO) from the Joint Authority Board (JAB) or obtaining an Authority to Operate (ATO) letter from a federal agency.

A CSP must then determine the proper impact level for their system and fulfill the requirements outlined in the FedRAMP Security Controls baseline. The details of the implementation must be documented in a System Security Plan (SSP).

2. Assess

Hire an independent assessor to test the information system and verify that all appropriate controls are implemented and effective. Once testing is complete, the third-party assessment organization (3PAO) or nonaccredited independent assessor (IA) will issue a Security Assessment Report (SAR).

3. Authorize

After the assessment has been completed, the CSP will need to submit a security package to the JAB or the federal agency that they are working with for approval. If approved, the CSP will receive an ATO.

4. Monitor

Receiving an ATO is not the final step in the process. Authorization must be maintained over time through continuous monitoring and compliance with FedRAMP requirements. If an organization fails to maintain an appropriate risk level, authorization can be revoked.

Get Started Today With SeaGlass Technology

SeaGlass Technology is a leader in IT cloud services and can help organizations become compliant through services like advisory consulting and readiness assessments. Schedule a consultation today to speak with a certified IT technician.

The post How To Achieve Your Target FedRAMP Impact Level appeared first on SeaGlass Technology.

The risk management program was created to support the government’s cloud computing plan and help reduce the time and money that agencies would otherwise have to spend assessing the security of cloud service providers (CSPs). While the FedRAMP certification process is quite rigorous, CSPs that become certified have the opportunity to work with governmental agencies.

FedRAMP’s security baselines are based on NIST SP 800-53, along with a specific set of control enhancements that relate to the unique security requirements of cloud computing. Learn more about this program and how to become FedRAMP certified.

Why Should You Become FedRAMP Certified?

The FedRAMP authorization program was developed by the federal government to provide a standardized approach to security authorization, assessment, and continuous monitoring for cloud services and products. There are many reasons why a business may choose to become FedRAMP certified, including the following:

• Ability to sell cloud services or products to the federal government. FedRAMP is now mandatory for all cloud service offerings (CSOs) used by federal agencies, meaning businesses cannot do business with federal or governmental agencies without first becoming FedRAMP certified. Without this certification, businesses could be losing out on significant revenue.
• Instill confidence in the security of the cloud services or products. Security is a major concern when it comes to cloud-based services and products used by the federal government. CSPs who go through the complex process of becoming certified often appear more trustworthy in the eyes of governmental agencies like the Department of Defense (DOD) or the Department of Justice (DOJ).
• Just one FedRAMP assessment is needed as it can be reused. Cloud service providers need to undergo a single assessment to gain an Authority to Operate (ATO) from several federal agencies. After completing the assessment, it is posted to the Office of Management and Budget (OMB) Max repository where any federal agency can review the package and choose to grant an ATO.
• FedRAMP certification can help organizations with other programs. Some federal agencies, such as the DOD, have additional requirements for CSPs. Cloud service providers that become FedRAMP certified can leverage their FedRAMP status to help meet these requirements.

What are the Steps to Become FedRAMP Certified?

There are two main ways that cloud service providers can become FedRAMP certified. First, they can obtain an ATO which requires CSPs to work directly with a specified agency during the agency authorization process. After partnering with a federal agency partner, the agency approves the CSP and arranges approval from the FedRAMP Program Management Office. If approved, the CSP is issued an ATO which allows the business to work with the specific agency.

Cloud service providers can also obtain a Provisional Authorization to Operate (P-ATO) through the Joint Authorization Board (JAB). The JAB refers to a governing body of the FedRAMP program that consists of the General Services Administration (GSA), the Department of Homeland Security (DHS), and the DOD.

During this process, the JAB issues a provisional authorization that signifies that the agency’s risks have been reviewed. While this is an important initial approval, agencies that wish to use the service will still need to issue their own ATO.

Regardless of the type of authorization that a business chooses to pursue, the FedRAMP certification process involves several primary steps:

1. Pre-Authorization Stage

The pre-authorization stage establishes a foundation for FedRAMP certification. First, the CSP must form a partnership with governmental agency customers. A cloud service provider should also form a partnership with a reputable FedRAMP-approved third-party assessment organization (3PAO). The 3PAO will be the evaluator for FedRAMP certification. During the process, the CSP must document each step taken to gain certification with documents like RFIs, RFPs and RFQs.

2. Authorization Stage

After building a foundation in the pre-authorization stage, a CSP can move on to the actual authorization process. There are three main steps in this stage, including package development, assessment, and authorization.

3. Post-Authorization Stage

Even after becoming FedRAMP certified, CSPs must continue to perform ongoing monitoring and management to ensure that their security efforts remain effective. CSPs must provide the agencies that they work with proof of monitoring each month to help mitigate the risk of security vulnerabilities.

Speak with the IT Experts at SeaGlass Technology

FedRAMP authorization is a challenging endeavor that consists of 14 applicable laws and regulations, in addition to 19 standards and guidance documents. It is considered one of the most rigorous software-as-a-service (SaaS) certifications in the world. To learn more about how to become FedRAMP certified, contact the IT professionals at SeaGlass Technology.

The post How to Become FedRAMP Certified appeared first on SeaGlass Technology.

Under FedRAMP, agencies are better equipped to transition from outdated, insecure legacy IT to cost-effective, mission-driven cloud-based IT.

Before a federal agency can use a commercial cloud service offering (CSO), the CSO must first demonstrate FedRAMP compliance. Compliance refers to the ability to prove adherence to government security requirements found in NIST 800-53 and further supplemented by the FedRAMP Program Management Office (PMO). FedRAMP compliance requires cloud service providers (CSPs) to achieve several high-level requirements outlined below:

Paths To Achieving FedRAMP Compliance

Demonstrating FedRAMP compliance requires CSPs to go down one of two paths. First, FedRAMP Authority to Operate (ATO) can be obtained directly from the federal government. An agency FedRAMP ATO is only applicable to that agency and does not mean that other agencies are authorized to use that CSO. After a CSO acquires a FedRAMP ATO with an agency, all other governmental agencies that wish to use the CSO will need to assess the authorization package to determine if their security posture is sufficient to meet their risk tolerance.

The second, and more challenging path, requires a CSP to receive a FedRAMP Provisional ATO (P-ATO) from the Joint Authorization Board (JAB). The JAB is comprised of representatives from the Department of Defense (DOD), the General Services Administration (GSA), and the Department of Homeland Security (DHS).

Together, JAB represents all federal agencies pertaining to the evaluation of CSP security postures. Unfortunately, the JAB does not accept risk for any federal agency, meaning the ATO issued by the JAB signifies that the CSO has been reviewed and approved but that each federal agency is still responsible for issuing an agency ATO.

Checklist To Achieve FedRAMP Compliance

Regardless of which path a CSP chooses to achieve compliance, the process can be highly rigorous. The following checklist outlines the steps that CSPs need to take to achieve FedRAMP compliance:

1. Submit Initial FedRAMP Documents

CSPs are responsible for gathering and completing all documents and templates provided by FedRAMP. These documents can be downloaded and printed directly from the FedRAMP government website and are necessary for preparation, authorization, and monitoring. Become familiar with the authorization path that the business will most likely take based on the relevancy to the organization.

2. Implement Controls in Accordance with FIPS 199

FIPS 199 refers to the Federal Information Processing Standard. This standard was developed by NIST with the goal of categorizing data stored and transmitted by cloud computing services as either low, moderate, or high impact. The classification chosen determines the controls a CSP must implement.

3. Undergo an Assessment by a 3PAO

CSPs that want to achieve FedRAMP compliance must first complete an assessment performed by a FedRAMP third-party assessment organization (3PAO). The 3PAO will perform a cybersecurity attestation and put together a Readiness Assessment Report (RAR) for the organization. Conducting a 3PAO assessment is a mandatory step for the JAB authorization path but is only a highly recommended step for the agency authorization path.

4. Develop a Plan of Action and Milestones (POA&M)

Another step carried over to FedRAMP from NIST SP 800-53 is the POA&M. This step requires the CSP or agency seeking authorization to implement the proper controls in the form of a schedule. The goal of this schedule is to document the planned remediation actions of the agency to address and resolve deficiencies or weaknesses identified during the assessment of the controls. A POA&M aims to eliminate any known vulnerabilities found within the system.

5. Obtain Either Agency ATO, Provisional ATO, or JAB

The CSP will need to decide whether they are seeking an agency authorization to operate, provisional authorization to operate, or approval from the JAB. While there are no wrong choices, some paths may be more difficult than others.

6. Implement a Continuous Monitoring Program

The final step in FedRAMP compliance involves implementing a continuous monitoring (ConMon) program that includes monthly vulnerability scans. This step is necessary to ensure that the organization remains compliant and that any risks are promptly addressed before they can negatively impact the CSOs.

Speak with the FedRAMP Compliance Professionals at SeaGlass

The federal government wants more people to use cloud services as they enable agencies to save time and money while enhancing their overall efficiency. FedRAMP also offers reduced cybersecurity threats to vendors as it allows agencies to better detect cybersecurity vulnerabilities at a rapid rate. To learn more about FedRAMP compliance requirements or to speak with an experienced NYC IT service professional, reach out to the experts at SeaGlass Technology.

The post FedRAMP Compliance Requirements & Checklist appeared first on SeaGlass Technology.

CSPs who wish to offer their cloud service offerings (CSOs) to the U.S. government must first demonstrate FedRAMP compliance. FedRAMP is mandatory for all federal agencies and offers a number of benefits. It helps increase transparency between the U.S. government and cloud providers, promotes consistency and confidence in the security of cloud solutions, and encourages near real-time continuous monitoring.

FedRAMP grants authorizations to CSPs at different impact levels, including low, moderate and high with each level referring to the intensity of the potential impact if an information system should become compromised or corrupted.

FedRAMP Low Impact Level

The low impact level of FedRAMP is considered the security level baseline. This impact level is required for organizations that manage information systems that contain publicly available data. This means that if the data should become compromised, it would have a low impact on an agency’s finances, safety, mission, and/or reputation.

FedRAMP low impact level includes data intended for public use. The program currently contains two baseline levels for systems that store low-impact data: low-impact SaaS and low baseline. The baseline for CSPs with low-impact software-as-a-service (LI-SaaS) was created to support cloud products and services that the agencies that use them consider to be low risk. Low level systems have a total of 125 controls.

FedRAMP Moderate Impact Level

The moderate impact level of FedRAMP mostly includes data that is not available to the public, such as personally identifiable information (PII). If a breach should occur that has a moderate impact on a business, it could have a serious effect on the agency’s operations.

Moderate impact level is appropriate for cloud service providers that are responsible for handling government data that is not publicly available. If a breach to the system with a moderate impact level should occur, an agency could suffer fairly significant damage to agency assets, reputational harm, and financial losses. FedRAMP moderate impact level systems have a total of 325 controls.

FedRAMP High Impact Level

The final and most serious impact level is the FedRAMP high impact level. This impact level includes sensitive federal information, such as healthcare data, emergency services, and law enforcement. If a breach should occur to a government system that contains this type of data, the results would likely be catastrophic.

Operations could potentially be shut down and financial ruin may occur. High impact level losses could also pose a threat to intellectual property and possibly harm a human life.

FedRAMP high impact level establishes a standard for protecting some of the U.S. federal government’s most sensitive and unclassified information stored in cloud computing environments. High impact level systems are required to comply with a total of 421 controls.

Why Is FedRAMP Certification Important?

Any cloud service that holds U.S. federal data is required to get FedRAMP authorization. FedRAMP was developed as a way to create consistency in the security of United States government cloud systems. The program helps evaluate and monitor agency security and provides a single set of standards for all cloud providers and government agencies.

When a cloud service provider does get FedRAMP authorization, they are listed in the FedRAMP Marketplace. This marketplace is often the first place that a government agency will look when they want to find a new cloud-based solution. The ability to find a CSP that is already FedRAMP authorized can save agencies a significant amount of time compared to the time it would take for a CSP to start the authorization process with a new vendor.

The FedRAMP Marketplace is available to the public, meaning cloud service providers that receive FedRAMP authorization and are listed in the marketplace are more likely to receive additional business from U.S. government agencies. This authorization makes clients more confident about certain security protocols and represents the provider’s commitment to maintaining the highest security standards possible.

Becoming FedRAMP certified can be a long and complex endeavor for businesses of any size. There are two main ways to become authorized with the most common being by receiving a provisional authorization from the Joint Authorization Board (JAB). A CSP may also receive agency authority to operate by establishing a relationship with a certain federal agency that is involved in the process throughout.

Speak with a NYC IT Service Expert Today

For more information about FedRAMP impact levels or to request a consultation with a NYC IT service professional, contact the experts at SeaGlass Technology.

The post What Are The FedRAMP Impact Levels? appeared first on SeaGlass Technology.

Despite the high level of security that cloud systems possess, cloud-based technology is not impervious to internal and external cybersecurity threats.

Established in 2011 by the Office of Management and Budget (OMB), FedRAMP was created to provide a cost-effective, risk-based approach for the implementation and use of cloud services in executive departments and agencies. Learn more about FedRAMP, why it is important, and how federal agencies can use modern cloud technologies safely.

What Is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) is a program that evaluates and authorizes cloud-based products and services used by U.S. federal agencies. This rigorous, in-depth process ensures adequate security posture of cloud service offerings (CSOs) and helps keep agencies mobile without compromising federal security.

Obtaining FedRAMP authorization is no easy task. It is considered one of the most meticulous software-as-a-service certifications in the world, made up of 14 applicable regulations and laws, as well as 19 standards and guidance documents. FedRAMP allows agencies to quickly adapt from outdated, insecure legacy IT to secure, cost-effective and mission-enabling cloud-based IT.

Why Is FedRAMP Important?

FedRAMP creates a common security framework that eliminates duplicative efforts and helps the federal government accelerate the adoption of cloud technology. Today, all cloud services that store federal data require FedRAMP authorization, meaning any organization that wishes to work with the federal government must have FedRAMP authorization as part of their security plan.

Having authorization helps ensure consistency in the security of government cloud services. FedRAMP provides a single set of standards for all cloud partners and government agencies. Agencies are responsible for reviewing their security requirements against the standardized baseline.

Cloud service providers must go through the authorization process just once. After obtaining authorization for their CSO, the security package can continue to be reused by any federal agency.

FedRAMP is now mandatory for all executive agency service models and cloud deployments at high, moderate, and low impact levels. The program is controlled by a Joint Authorization Board (JAB) that is made up of representatives from the Department of Defense (DoD), the Department of Homeland Security (DHS), and the General Services Administration (GSA).

What Are The Steps To FedRAMP Authorization?

The process of obtaining FedRAMP authorization can be challenging; however, authorization can significantly increase security credibility as it shows a commitment to meeting the highest security standards. There are several steps involved in FedRAMP authorization, including the following:

1. Package Development

FedRAMP authorization begins with an authorization kickoff meeting. The provider must complete a system security plan, followed by the development of a security assessment plan by a FedRAMP-approved third-party assessment organization.

2. Assessment

The third-party assessment organization then submits a security assessment report and the provider develops a Plan of Action and Milestones (POA&M). This is a corrective action plan for tracking the resolution of information security and security weaknesses.

3. Authorization

An authorizing agency or JAB then decides whether the level of risk is acceptable. If it is, an authority to operate a letter is submitted to the FedRAMP project management office and the provider is listed in the FedRAMP marketplace.

4. Monitoring

Once listed, the provider is responsible for sending monthly security monitoring deliverables to all agencies.

What are the Categories of FedRAMP Compliance?

FedRAMP consists of four impact levels for services based on risk. These categories are associated with the potential impacts of a security breach in three distinct areas, including availability, integrity, and confidentiality. The first three impact levels are from the National Institute of Standards and Technology (NIST) and are based on Federal Information Processing Standard (FIPS) 199. The final impact level is based on NIST Special Publication 800-37.

The four impact levels include:

• High (based on 421 controls) — High impact occurs when the loss of integrity, availability, or confidentiality has a catastrophic effect on organizational assets, operations, or individuals.
• Moderate (based on 325 controls) — Moderate impact occurs when the loss of integrity, availability, or confidentiality has a serious effect on organizational assets, operations, or individuals.
• Low (based on 125 controls) — Low impact occurs when the loss of integrity, availability, or confidentiality has a limited effect on organizational assets, operations, or individuals.
• Low-Impact SaaS (based on 36 controls) — Low-impact SaaS is designed for systems that are considered low risk for uses like project management applications and collaboration tools.

Contact The Experts At SeaGlass Technology

FedRAMP authorizations can be challenging to obtain as they involve the dedication of resources and the involvement of key players. To learn more about FedRAMP and why it is important, reach out to the professionals at SeaGlass Technology.

The post What Is FedRAMP And Why Is It Important? appeared first on SeaGlass Technology.