What is FedRAMP Compliance?
FedRAMP, or Federal Risk and Authorization Management Program, is a U.S. federal government program that provides a standardized approach to data security, authorization, and monitoring for cloud service offerings (CSOs) and products.
The FedRAMP standard was initiated by the Office of Management and Budget (OMB) in 2012, after the Cloud First Policy (now renamed as Cloud Smart Strategy).
Currently, the FedRAMP program is governed by the Joint Authorization Board (JAB), which includes Chief Information Officers (CIOs) from the:
- General Services Administration (GSA)
- Department of Defense (DoD)
- Department of Homeland Security (DHS)
CSOs certified by FedRAMP have gone through a rigorous testing and monitoring process. (You can see services that are FedRAMP-compliant on the FedRAMP marketplace. The marketplace makes it easier for various government agencies to find suitable CSOs without needing to go through an authorization process.)
The marketplace lists all FedRAMP-compliant cloud providers, including Valimail. If you’re looking for a DMARC-as-a-service guaranteed by FedRAMP, our solution is authorized for government use under the GSA FedRAMP program. We have the reliability and security needed to support government organizations at the federal, local, and state levels.
Why is FedRAMP Important?
FedRAMP authorization isn’t something to take lightly. It’s one of the most rigorous authorization certifications to go through as a cloud-based platform or business with cloud service offerings. According to the mandate, federal agencies are to default to cloud-based solutions whenever possible. While cloud-based solutions will improve the operational efficiency of an organization, it also introduces cloud security risks that the public sector simply can’t afford. For instance, a data breach of a government agency could result in loss of trust from citizens, major financial loss, and even a danger to national security.
Ultimately, FedRAMP provides a standardized approach needed to verify the security of cloud services handling federal data in an effective and cost-effective way. But besides improving your credibility and security as a cloud service provider, FedRAMP provides the additional following benefits:
- Increased consistency in the security of cloud solutions against National Institutes of Standards & Technology (NIST) and FISMA defined standards.
- Improved transparency and trust between US government and cloud providers.
- Automation and real-time monitoring to simplify the authorization process.
- Expedited/speedy adoption of cloud-based solutions.
- Secure cloud solutions through reuse of assessments and authorizations.
The Two Paths to FedRAMP Compliance
Note: Other than the two main paths you’ll see here, there’s also tailored authorization for low-impact SaaS providers that’s much simpler than the agency and JAB authorization processes. (The process for tailored authorization is much simpler, as it’s designed mainly for project management tools and other very low-impact solutions.)
Let’s focus on the two main paths for now.
These two paths are for cloud products with impact levels between low, moderate, and high.
There are two ways to FedRAMP compliance:
- JAB authorization
- Agency authorization
Before anything else, you need to determine which path you’ll take. The JAB route is limited to approximately 12 CSOs per year. If your CSO is something that you think will be broadly used by all government agencies, it’s possible that you can go through this route. Unlike the JAB route, there’s no specific schedule for the agency route. You can go through this route as long as you have an agency to partner with that will use your services.
Although there are two different paths, the core processes remain the same. After selecting the path you’d like to take, there are three more steps you need to go through to achieve authorization to operate (ATO):
- Continuous monitoring
Let’s take an in-depth look at the two different pathways and their respective processes below.
The JAB Process
The JAB authorization process prioritizes CSOs that are likely to be used government-wide (for example, cloud computing platforms like AWS or Google Workspace). In this case, the ATO is issued by JAB, but agencies still need to issue their own ATO to work with you.
In the preparation stage, there are three steps to go through:
- FedRAMP Connect: JAB only authorizes 12 CSOs each year, so you’ll need to go through FedRAMP Connect, which is a process that identifies which CSOs will undergo the assessment process.
- A readiness assessment: Cloud service providers (CSP) also have to achieve a FedRAMP Ready status, which they can get by working with an accredited Third Party Assessment Organization (3PAO) for a Readiness Assessment.
- A full security assessment: The CSP will have to work closely with an accredited 3PAO and turn in several documents as a security authorization package.
Finally, the CSP and assessor from the 3PAO will have to work with JAB to complete the authorization process. This stage entails a review of the CSO’s system architecture, security capabilities, risk posture, as well as the security authorization package submitted during the preparation stage.
After the review is completed and issues are addressed, you’ll finally attain your Provisional Authority to Operate.
The final step is the continuous monitoring program, where you’ll need to turn in monthly monitoring deliverables and undergo an annual assessment to make sure that your CSO is still safe to use.
The agency authorization allows CSOs to partner with specific agencies to attain an ATO for that specific agency. This process is often used for CSOs with a niche use case. Unlike JAB authorization, you can undergo agency authorization as long as you have an agency to collaborate with to complete the process.
Instead of FedRAMPConnect, the agency preparation is a two-step process that starts with a readiness assessment and ends with pre-authorization. Additionally, the readiness assessment is optional in this route.
Pre-authorization is a step to formalize the connection between the CSP and the agency it’s working with. This is also the time to prepare the security deliverables and fix the security requirements needed to achieve FedRAMP.
To start the authorization process, the CSP will collaborate with a 3PAO to go through a full security assessment and create the security authorization package, similar to the documents created during a JAB authorization.
In the final step of the authorization process, the agency will review the security authorization package submitted by the CSP and publish an ATO letter if the CSP passed the review.
To register for the FedRAMP marketplace, the CSP and 3PAO will then submit the required documents and the ATO letter from the agency to be reviewed by the FedRAMP Project Management Office.
Requirements for FedRAMP Compliance
Here are the requirements for FedRAMP compliance at a high level:
- Fulfill the security controls outlined in NIST 800-53 and supplemented by the FedRAMP Program Management Office.
- Implementation of controls that comply with FIPS 199 categorization.
- Completion of various FedRAMP documentation including the System Security Plan (SSP) and a Plan of Action and Milestones (POA&M).
- Assessment by an accredited Third Party Assessment Organization (3PAO) to complete the security authorization package documents and assist in the authorization process.
- Obtain Joint Authorization Board (JAB) Provisional ATO (P-ATO) or Agency ATO.
- Implementation of a Continuous Monitoring (ConMon) program, which includes monthly vulnerability scans and an annual assessment.
Valimail: Compliance and Security All Around
If you haven’t set up DMARC yet and are looking for a platform that’s guaranteed to be secure, Valimail is the only provider with FedRAMP accreditation. Contact us today if you’re looking for a quick and simple way to DMARC enforcement. We can help you assess what you need to achieve DMARC enforcement so you can attain FedRAMP accreditation quicker.