What is FedRAMP?
Cloud Service Providers who have offerings that can be useful to the federal government should consider obtaining a FedRAMP Authorization. Public sector and private enterprises must meet security requirements on any cloud-based solution to ensure that sensitive data is properly protected, while it’s outside of their direct control and that all other relevant security policies are met. FedRAMP is an assessment and authorization process the U.S. federal agencies use to ensure proper security controls are in place when accessing cloud computing products and services.
Why is FedRAMP important?
FedRAMP provides a single, consistent process for validating cloud services across all U.S. federal agencies, which streamlines the procurement process for many public sector customers and ensures that consistent baseline security policies are used across different agencies.
Getting FedRAMP authorization is serious business. The FedRAMP Authorization Act was signed into law in December 2022. It was part of the FY23 National Defense Authorization Act.
There are 27 applicable laws and regulations involved in FedRAMP. Plus, another 26 standards and guidance documents. It’s one of the most rigorous cloud service certifications in the world.
What does it mean to be FedRAMP compliant?
“FedRAMP compliant” means that all FedRAMP security controls have been implemented for a particular cloud application. FedRAMP Cloud Service Offerings are categorized into one of three impact levels: Low, Moderate and High Impact Levels.
1
Security Objectives
Confidentiality: Information access and disclosure includes means for protecting personal privacy and proprietary information
Integrity: Stored information is sufficiently guarded against modification or destruction.
Availability: Ensuring timely and reliable access to information.
2
Impact Levels
Low: Low Impact is most appropriate for CSOs where the loss of confidentiality, integrity, and availability would result in limited adverse effects on an agency’s operations, assets, or individuals.
LI-SaaS: SaaS applications that do not store personal identifiable information (PII) beyond that generally required for login capability (i.e. username, password, and email address). Required security documentation is consolidated and the requisite number of security controls needing testing and verification are lowered relative to a standard Low Baseline authorization.
Moderate: Moderate Impact applies for most of the CSOs who receive FedRAMP authorization. This impact level is most appropriate for CSOs where the loss of confidentiality, integrity, and availability would result in serious adverse effect on an agency’s operations, assets, or individuals. Serious adverse effects could include significant operational damage to agency assets, financial loss, or individual harm that is not loss of life or serious life-threatening injuries.
High: High Impact data is usually in Law Enforcement and Emergency Services systems, Financial systems, Health systems, and any other system where loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. FedRAMP introduced their High Baseline to account for the government’s most sensitive, unclassified data in cloud computing environments, including data that involves the protection of life and financial ruin.
Is it difficult to achieve FedRAMP Authorization?
The FedRAMP Authorization process can be challenging. Without the expertise, tools and resources a well-intended 12-month FedRAMP Authorization initiative can turn into a 24 month + process costing hundreds of thousands of dollars. The level of difficulty, amount of time and costs are largely dependent on the level of expertise you employ to navigate the authorization process. Learn more about how we can help you achieve compliance quickly, efficiently and economically.
Who governs FedRAMP?
FedRAMP is governed by the FedRAMP Program Management Office (PMO), who defines the control sets, establishes the process, and approves all auditors and FedRAMP authorizations.
Getting FedRAMP Authorized
Options for Achieving Authorization
There are three ways to obtain a FedRAMP authorization:
-
Manage the process yourself.
-
Hire a consultant or advisor.
-
Leverage the experts at Project Hosts
The FedRAMP authorization process is highly specialized and difficult to navigate, with many hidden barriers and complications that can derail your effort. So, managing the process yourself usually requires hiring a team of experts who have experience achieving a FedRAMP authorization. Some hire consultants and leverage their existing team to take on the additional work-effort however the burden of successfully navigating the process still ultimately relies on you. Often a well-intended 12-month Authorization process turns into 18-24 months and drive unexpected costs and create a burden on internal resources.
Project Hosts is the most reliable route for achieving authorization quickly, efficiently and economically. We operate as an extension of your team and take over the effort and do it for you. Teaming with Project Hosts is the fastest, most economical, and least risky way to achieve a FedRAMP authorization.
Speed to Authorization
Project Hosts can get you to a FedRAMP authorization in as little as 9 months, much faster than other alternatives. Why is the Project Hosts option so much faster? Three reasons:
-
The GSS One PaaS
-
The FasTrack process
-
Proven Expertise
1
The GSS One PaaS
Project Hosts will onboard your SaaS solution with the Project Hosts GSS One PaaS. Once you are deployed in our Authorized PaaS your SaaS solution immediately inherits a majority of the security controls required for FedRAMP compliance. Since the GSS One is already FedRAMP Authorized this inheritance means those control implementations do not need to be re-examined, assessed and approved by your auditor, agency customers or the FedRAMP PMO which simplifies and reduces workload by allowing them to focus on the application specific controls. This makes things considerably easier for them, simplifying and speeding up the process.
2
The FasTrack Process
Project Hosts is the #1 PaaS for FedRAMP Authorizations supporting SaaS solutions. Our experience from managing the FedRAMP process for dozens of SaaS solutions, has allowed Project Hosts to develop a FasTrack to authorization. FasTrack is the Project Hosts recipe for success delivering the internal systems experience and proven methodology to efficiently navigate the FedRAMP process.
We know the hidden barriers and complications; we know the FedRAMP PMO’s latest “hot buttons” about solution architecture; we know where delays are most likely to crop up and how to avoid them. The biggest delays are usually caused by surprises from 3PAO auditors, agency sponsors, or the FedRAMP PMO. Since we manage dozens of SaaS solutions, the auditors and FedRAMP PMO are very familiar with how we do things and have approved our architectures, controls and processes many times. The same holds true for the dozens of agencies that have granted ATOs to SaaS solutions we manage. Since the key stakeholders all approve of our processes, our FasTrack avoids delays and surprises delivering a smooth process for our customers.
3
Unmatched Expertise
Project Hosts is the recognized leader in delivering high performance, secure and FedRAMP certified compliant cloud-based solutions. We implement the most rigorous cloud security standards including FedRAMP, DoD IL2/4/5, HIPAA, HITRUST, and ISO 27001. With over 19 years of experience we have established ourselves as a trusted and reliable partner.
Our work with Agencies, DoD, 3PAO’s and FedRAMP have optimized our skills, helped define our processes, and allowed us to stay ahead of the game to ensure we consistently exceed expectations. Auditors, agency assessors, and the FedRAMP PMO consistently support our model and endorse how easy we are to work with – “Project Hosts process is more buttoned up and well-prepared than anyone else we see. Consequently, Project Hosts is able to get packages through the assessments much more quickly.” – Agency Sponsor.
As the #1 PaaS supporting SaaS vendors on the FedRAMP Marketplace and over 35 Agencies using our GSS One we continue to be the preferred choice for those seeking superior services and industry expertise.
If you are considering a FedRAMP Authorization contact Project Hosts, we are interested to learn more about your initiative.
Other FedRAMP Compliance Solutions
Dedicated Solutions for Agencies
In order for a federal agency to use your SaaS solution, they will have to grant an Authority-to-Operate (ATO), after first assessing it and ensuring that FedRAMP controls are in place. Sometimes an agency is willing to grant an ATO for a SaaS solution dedicated just to them, but they are not willing to be the first agency (the “FedRAMP sponsor”) to grant an ATO for a multitenant solution that will be used by multiple agencies.
If you are willing to have dedicated deployments of your SaaS, you can still serve these agencies. The good news is that since FedRAMP only applies to multitenant cloud offerings, you do not need to go through the full FedRAMP process to serve them. In fact, when you are doing a dedicated deployment, most agencies do not require you to get a separate 3PAO audit (since they are not willing to have that cost passed on to them). Instead, they just require you to provide the agency’s assessors with a System Security Plan (SSP) that details how all FedRAMP controls have been implemented for the solution, along with evidence (e.g. screenshots) that verify implementation.
When you work with Project Hosts for these deployments, it is much easier for your agency to grant the ATO for two reasons: First, by tying your SaaS into the Project Hosts GSS One PaaS, your SaaS inherits a majority of the control implementations. Also, since GSS One is FedRAMP authorized already, your agency does not need to re-assess and re-approve those controls. Second, since Project Hosts has ATOs from dozens of agencies, we know what they are looking for and can prepare the SSP and evidence in a way that makes it much easier for agency assessors to approve.
Often, providing a dedicated SaaS solution to an agency is a first step. After working with us (on your behalf), the agency may very well agree to be your sponsor for a full FedRAMP authorization. Contact us to learn more about dedicated solutions.
FedRAMP Rev. 5 Simplified
It’s been three years since the National Institute of Standards and Technology (NIST) unveiled the fifth iteration of Special Publication (SP) 800-53. As the basis for the Federal Risk and Authorization Management Program’s (FedRAMP) rigorous security framework, this update has significant implications for cloud service providers (CSPs) that work with the federal government.
Now, CSPs finally have what they’ve been waiting for. In May 2023, the FedRAMP Project Management Office (PMO) approved and released the fifth version of its baseline security controls, known simply as FedRAMP Rev. 5. In turn, the PMO issued guidelines for when and how CSPs must achieve Rev. 5 compliance.
Want to learn more about FedRAMP?
