What is FedRAMP and FedRAMP Compliance?
FedRAMP stands for Federal Risk and Authorization Management Program. It is the set of criteria cloud service providers (CSPs) must meet to secure contracts with the U.S. government. FedRAMP was developed under the auspices of FISMA, or the Federal Information Security Management Act, a federal law whose purpose is to protect the government's sensitive information.
For CSPs, FedRAMP compliance is essential to secure lucrative government contracts and to obtain a spot in the FedRAMP marketplace.
Why Is FedRAMP Certification Important?
FedRAMP certification is a requirement to secure a spot as a CSP with the federal government. Gaining this certification in advance means placement in the FedRAMP marketplace, from which government divisions and agencies can choose a provider at the level of security they choose.
Although it is still possible for government entities to disregard the marketplace and start the process of FedRAMP certification independently with a new CSP, most will not bother, simply because it takes too much time and extra resources. In addition, FedRAMP certification gives a CSP a seal of approval for non-government clients. It sends the message that the CSP's security protocols are high enough to meet even stringent government requirements.
Types of FedRAMP Compliance
There are two routes to FedRAMP certification.
Joint Authorization Board (JAB) Authorization
JAB authorization is a provisional authority to operate. The risk of the CSP is reviewed by an approved third-party assessment organization. JAB is made up of representatives from the departments of Defense, Homeland Security, and General Services Administration (GSA). To actually complete a service contract, a CSP will have to proceed to agency authorization later.
This process involves a specific agency from the outset. The customer agency approves the CSP and helps arrange approval from the FedRAMP Program Management Office. The result of this process is the issuance of an Authority to Operate letter, which gives the CSP the certification to operate for that particular agency.
Key Processes for FedRAMP Authorization
The process for FedRAMP authorization by JAB is relatively straightforward. There are three key components:
The third-party assessor approved by FedRAMP submits a Security Assessment report. The report is in response to the CSP's System Security Plan. Simultaneous to this report, the CSP develops a plan of action with specific milestones to meet to ensure security compliance.
Leveraging and Authorization
The JAB reviews the reports and plans of action. If it decides the risk is acceptable, it issues an Authority to Operate letter to FedRAMP, and the provider is listed in the FedRAMP marketplace. At this stage, the CSP is not yet connected to a specific federal agency unless that agency has been involved since the beginning of the process to secure authorization.
Ongoing Assessment and Authorization
Once an agency starts to use the service, ongoing assessment and authorization become additionally necessary. As part of this process, the CSP sends monthly security monitoring reports to the agency.
How Is FedRAMP Different from Risk Management Framework (RMF)?
Both FedRAMP and RMF are authorization processes run by the federal government. However, the RMF is what federal agencies use to get authorization for their own systems and protocols. FedRAMP is specifically for CSPs. It is possible for the law to require federal agencies to go through FedRAMP, but only if the agencies in question have their own cloud services that need security clearance.
Benefits of Working with a FedRAMP-compliant Cloud Service Provider (CSP)
FedRAMP was designed to ensure security compliance for the federal government. But there are huge benefits for non-government organizations who prioritize FedRAMP-compliant CSPs over other cloud providers. Specifically, it saves the organization time and money performing its own security assessment. Since the organization already knows any CSP in the FedRAMP marketplace meets those stringent security requirements, they can assume their minimum protocols are already met. The organization does not have to decide which third-party assessor should review the provider's systems because FedRAMP has already taken care of that review.
In addition, if an organization decides to adopt federal government cloud security protocols as its own, it helps ensure consistency across its own organization and the government. This uniformity offers more confidence in one's own cloud security. Getting the CSP review out of the way also means an organization can move more quickly to a cloud-native platform.
FedRAMP and FISMA
FedRAMP is a relatively new development in the realm of government information security regulations. It is an offshoot of a much older law, however, called FISMA, which was passed in 2002, to provide a framework for how federal agencies can use new technology but still protect the government's vital and sensitive information.
FISMA did not explicitly cover cloud applications—they were a later technological development. Because of the strict security protocols set by the government, agencies were reluctant to use cloud technology lest they run afoul of FISMA. FedRAMP provides a solution by giving agencies a specific framework to ensure CSP security. This allowed federal government departments to partner with CSPs while still meeting all legal security requirements.
Fortinet's Commitment to FedRAMP
CSPs should put security at the top of their priority list. Fortinet is an example of a CSP that is not only committed to FedRAMP but to advancing the latest security protocols for its government and non-government clients. This includes the recent innovations introduced by the government's Office of Management and Budget (OMB) in 2019, Trusted Internet Connection (TIC) 3.0, which has massive implications for government departments wanting to make full use of the potential of cloud architecture.
Fortinet offers a detailed outline on how organizations can advance their platforms. Fortinet and Amazon Web Services (AWS) are both trusted entities that adhere to FedRAMP rules. Furthermore, Fortinet Federal, the Fortinet network security solution that provides integrated federal government cybersecurity for endpoints, networks, clouds, and applications needing to work together as one cohesive whole, delivers superior threat protection through automated response systems and simplified security management.