Considering the amount of sensitive data that the U.S. Federal Government deals with on a daily basis, it’s no surprise that they have established strict parameters for the service providers they choose to work with.
That’s precisely why FedRAMP, the Federal Risk and Management Program, was established in 2012—to evaluate and designate cloud service providers (CSPs) who want to work with federal government agencies. From ensuring quality service and data integrity to quarterly reporting and safeguarding personally identifiable information, it’s a rigorous and time-consuming program for companies looking to provide products and services to the U.S. government.
What is FedRAMP?
At its core, FedRAMP is a government cybersecurity risk management scheme that establishes a standardized approach for assessing, authorizing, and monitoring cloud service providers. It was created by the U.S. General Services Administration in response to the increasing number of federal agencies adopting cloud solutions, so that they could help protect them from the cybersecurity risks that come with implementing cloud-based infrastructure and applications.
Specifically, FedRAMP determines which cloud services or products can be used by agencies, using hundreds of controls—the number varies depending on the level of certification—to evaluate a cloud service offering’s (CSO) documentation, operational procedures, the level of security compliance, and so much more. These controls must all be met in order for the service provider to be granted an authority to operate (ATO) within the network of federal government agencies.
FedRAMP’s various impact levels
There are a number of compliance requirements that CSOs must meet before they’re used by a federal agency. These are specified in the NIST Special Publication 800-53—a rigorous set of controls intended to protect federal information systems—and supplemented with guidance from the FedRAMP Program Management Office (PMO).
CSOs are also categorized into four impact levels (Low, Moderate, FedRAMP+, and High), which are used to help CSPs ensure that their offerings meet the minimum security requirements for how they process, store, and transmit data. The categories are determined based on the potential impact certain events would have on the agency’s ability to conduct its mission.
- Low impact level (also called IL1) is the most appropriate category for CSOs where any loss of integrity or availability would have limited impact on the agency’s reputation, finances, or safety. These CSOs will typically only store information required for login (e.g. passwords and usernames). There are 126 controls in FedRAMP’s Low baseline.
- Moderate impact level (also called IL2) covers 80% of CSP applications. It’s most appropriate for CSOs that could cause serious to catastrophic impact on their agency if compromised. Damages at this level could include operational disruptions, monetary loss, and non-physical harm to individuals. There are 325 controls associated with this level.
- FedRAMP+ (also called IL4) is an added layer between the moderate and high impact levels. It includes an additional 38 controls that were identified by the Department of Defense (DoD) to support controlled unclassified information.
- High impact level (IL5 or IL6) is usually appropriate for CSOs that handle high-risk systems such as defense, intelligence, healthcare, finance, emergency services, or law enforcement systems. Breaches to these programs are considered catastrophic, potentially resulting in financial loss or shutting operations, and putting intellectual property and even individual lives at risk. This level has 421 controls.
Is FedRAMP right for you?
Getting a FedRAMP authorization is no easy feat and involves a number of players, so it’s important to understand your CSO’s and company’s preparedness and viability before taking the leap. Here are a few questions to ask before embarking on the rigorous authorization process:
- Does the federal government have a genuine need for your product? Are you confident they will want to buy it?
- Are you willing to invest in a comprehensive sales strategy aimed at the public sector, including hiring or training salespeople?
- Is your organization prepared for the length of time the authorization process will take?
- Can you afford the costs associated with organization-wide security enhancements?
- Is your organization prepared for the long haul? Do you have buy-in from all necessary departments and department heads?
How does inheritance work?
Cloud service providers have to go through several phases to achieve FedRAMP compliance. The first phase is the pre-authorization, in which three parties come together—the FedRAMP PMO, the CSP, and a federal agency—to discuss responsibilities, requirements, timeline, and implementation.
The second phase is the authorization process, which involves a comprehensive assessment of the cloud service provider, scrutinizing the various controls to ensure the required level of federal compliance is met. This is where the inheritance of controls comes in. CSPs that use services from other CSPs that have already obtained their FedRAMP authorization can inherit some of their controls.
Once the control assessment is completed, the CSP receives its authorization and ATO from the agency in question. The CSP then has to comply with continuous monitoring to make sure that the controls that were evaluated continue to function effectively in light of system changes or new exploits and attacks.
What about Okta customers?
Okta is currently classified as a Moderate impact level CSO, and is working towards getting its FedRAMP+ authorization. So, Okta customers working towards their own FedRAMP authorization can automatically inherit the implementation of some of the controls that are covered under Okta’s ATO.
More details on this in our blog post, How to Inherit FedRAMP Authorization.
The FedRAMP authorization process is long and complex, but getting through it is critical for private firms to provide cloud-based products and services to federal agencies. And by working with CSPs that are already authorized, there’s an opportunity to effectively streamline the process.