Reusing FedRAMP Cloud Products
The cloud service ecosystem for FedRAMP authorization has been growing year over year, as has the demand for the reuse of cloud products across agencies. To facilitate cloud product adoption across different agencies without compromising security and usability, FedRAMP provides a quick process to help reuse these services.
What Does it Mean to “Reuse” a Cloud Product in FedRAMP?
The FedRAMP process, by and large, is predicated on a direct relationship between federal agencies and cloud service providers (among other parties). It’s up to agencies to provide an authorization letter for CSPs that show that the provider meets the requirements of FedRAMP as they apply to that specific agency.
Generally, the agency process involves a few standard steps:
- Establishing a Partnership: A crucial part of obtaining a FedRAMP ATO is working with a partner agency that has demonstrated interest in the cloud product. The federal agency must provide the Program Management Office (PMO) with written confirmation of interest in the product.
- Assessment: The CSP and their product undergo an audit from the Third-Party Assessment Organization (3PAO) and, upon successful completion, receive their Authorization to Operate from their federal agency partner. This partner will send their official ruling on the cloud product to the FedRAMP PMO, who then reviews it for final approval.
- Listing and Monitoring: Once the PMO approves the cloud products ATO, that product is listed on the FedRAMP Marketplace and enters the continuous monitoring phase of FedRAMP.
Initially, this process seems to have a key drawback–that products authorized with a specific agency are limited to that agency. In many senses, this concern is very real. Organizations achieving their ATO with a particular federal agency cannot immediately sell their products to other agencies.
One solution that FedRAMP incorporates is allowing a select group of cloud products to achieve their Provisional ATO (P-ATO) through the Joint Authorization Board (JAB). This program allows for a limited club of products (typically 12 or less) to enter into a general, rigorous authorization program that allows these products to serve a broader agency marketplace. This program is limited and requires additional assessments to fit specific agency needs.
Another solution is the FedRAMP process for reusing cloud product authorizations.
Reusing FedRAMP Authorizations for Cloud Products
There is clearly very little reason to have a program in place that requires every cloud product to undergo repeated assessments to provide the same service to different federal agencies. While key data management factors (confidentiality, integrity, and accessibility) will vary between different agencies, it’s not necessarily the case that these variances would be so radical as to make a product incompatible across agencies.
Therefore, FedRAMP includes a method by which agencies can reuse the security packages compiled by the cloud provider to give FedRAMP authorization within their specific operations.
The process for reusing a cloud offering is relatively straightforward:
- Shop the FedRAMP Marketplace: The first step for an agency looking to reuse a cloud offering is to find one on the marketplace that fits their specific needs. This also allows the agency to trust that the cloud offering is already FedRAMP-authorized. As part of this step, however, the agency must formally request that the cloud offering’s ATO security package be through the FedRAMP Access Request Form and an associated Non-Disclosure Agreement. The PMO will grant a 60-day access window for that security package.
- Review the Package: With the appropriate package information, the agency will begin reviewing that information to determine if that offering meets the agency’s requirements. This review will also include a risk analysis to understand gaps between agency needs and the existing package.
- Issuance of ATO: If the offering’s security package aligns with the agency’s needs (or if the cloud provider can update and upgrade infrastructure to meet higher demands), then the agency can issue its own ATO through the normal process (that is, depending on final approval from the PMO).
- Continuous Monitoring: The agency now gains full-time access to the offering’s security package to implement their ongoing monitoring processes. At this stage, the PMO recommends that agencies and providers set up multi-agency continuous monitoring groups to support collaboration and workload distribution.
What Is Multi-Agency Continuous Monitoring?
This may seem like we are getting out into the weeds a bit… but bear with us.
If a cloud provider has an offering on the FedRAMP Marketplace, and if that offering gains its Authorization across several different agencies, then there will be a mess of continuous monitoring responsibilities across those agencies. Monitoring isn’t a flat, standardized process; different agencies expect tests and results across different technologies and processes.
Accordingly, having a multi-agency monitoring system ongoing means that there are a lot of extra hands in the pot. Instead, the goal of a multi-agency monitoring continuous monitoring group is to streamline all combined monitoring processes and stakeholders therein so that it’s that much easier for everyone (including the provider).
FedRAMP recommends a few specifics around monitoring collaboration groups to maximize accuracy and efficiency:
- Members: Groups should include stakeholders from agencies using the cloud solution, agencies adopting (but not yet using) the solution, and the service provider. They also recommend that the 3PAOs be ready to provide any information needed to this group.
- Officers: These groups should have a clear hierarchy of officers to maintain orderly operations. This includes a Chair and Vice-Chair (selected via a vote) that maintain committee operations, a Secretary that can capture meetings and shared information, and representatives from all relevant organizations.
- Committees: Depending on the size of the working group, specific committees targeting specific monitoring aspects may be called for and formed as needed.
Additionally, the FedRAMP program also recommends having a charter in place to outline decision-making, rules of engagement, and policies for effective monitoring management.
This process might seem like a lot, and it is. But, for massive enterprises fielding complex and popular cloud offerings, there may be quite a few stakeholders managing complex monitoring processes… in which case, having a steering committee can go a long way.
Stay Knowledgeable and Prepared for FedRAMP with Continuum GRC
Whether you are a small business or a massive corporation putting your cloud product on the FedRAMP Marketplace doesn’t matter. If you want to expand and grow in the federal space, you’ll need strong and ongoing monitoring support to ensure that you can adjust as needed.
Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:
- NIST 800-53
- FARS NIST 800-171
- SOC 1, SOC 2
- PCI DSS 4.0
- IRS 1075
- COSO SOX
- ISO 27000 Series
- ISO 9000 Series
And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.
Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.