How to Inherit FedRAMP Authorization
What is FedRAMP?
In my last post, “What is FedRAMP?”, I talked about the basics of FedRAMP and how organizations can become certified.
To summarize, the Federal Risk and Management Program (FedRAMP) is an assessment and authorization process used by US government agencies to make sure proper security controls are in place when adopting cloud-based applications and infrastructure.
In order for companies to sell cloud services and products to US government agencies, they must demonstrate FedRAMP compliance by meeting security requirements outlined by the National Institute of Standards and Technology (NIST). Only cloud service operators (CSOs) with a FedRAMP Authority to Operate (ATO) are permitted to work with government agencies.
However, obtaining an ATO is a complex and time-consuming process when done 100% in-house. Fortunately, by leveraging an already authorized CSO, you may be able to inherit controls for your FedRAMP audit, significantly shortening the time it takes to obtain your own ATO.
In this post, I’ll touch on the details of this complexity, how inheritance works, where to start on your inheritance journey, and the impact you can expect FedRAMP inheritance can have on your organization.
Let’s get into it.
The challenge: Meeting FedRAMP compliance regulations is complex
Obtaining a FedRAMP authorization is not like getting a driver’s license, where a few documents are submitted, a simple test is passed, and the certification is issued.
Becoming FedRAMP certified can be a confusing, laborious, and costly process for a few reasons:
Copious security controls
A major contributing factor to the complexity of the authorization process is the sheer number of FedRAMP security controls. Put simply, CSOs are classified as Low, Moderate, or High. Most systems are classified as FedRAMP Moderate (also called IL2), which has 325 security controls that are split into multiple parts.
Meanwhile, FedRAMP High (also called IL5 or IL6) CSOs have 421 security controls that are also split into multiple parts. Managing these controls is a draining, time-consuming endeavour that can distract many if not all of your teams from more pressing priorities.
Costly time and resource requirements
Becoming FedRAMP authorized is a commitment that requires a significant investment. The process needs at least a year to implement as well as staff—such as compliance, infrastructure, and IT professionals—that are specifically dedicated to the project. And it won’t pay off quickly—it’ll be anywhere between 12 to 24 months before you start seeing a return on your investment.
Continued maintenance and vigilance
Even after your organization does become FedRAMP authorized, your journey isn’t over. Your business is subject to continuous monitoring and annual audits. If you run your own infrastructure, your own identity, your own everything, then you will be doing a whole lot of work in-house to achieve continuous FedRAMP authorization.
Performing all of this in-house can be difficult for many organizations to justify when there are no short-term monetary results. Thankfully, inheriting authorization is a viable alternative option.
The alternative: FedRAMP Inheritance
One way to reduce the effort required to be FedRAMP authorized is to minimize the amount of controls your company needs to complete in-house. Essentially, companies can do this by “inheriting” controls from a vendor that has already achieved FedRAMP authorization.
For instance, if a company relies on Okta to manage their Identity layer, they can inherit some of the controls that address provisioning, deprovisioning, account auditing, and others without having to do additional work on their side.
How does inheritance work?
Cloud service operators have to undergo several phases—pre-authorization, assessment, authorization, and continuous monitoring—to achieve FedRAMP compliance.
It is in the authorization phase where the inheritance of controls comes into play. In this phase, CSOs that use services from another FedRAMP authorized CSO can inherit some of their controls, thus speeding up the authorization stage.
Since Okta is currently classified as a FedRAMP Moderate or IL2 (impact level 2) CSO, Okta customers working towards their own FedRAMP authorization can automatically inherit some of the controls that are covered under Okta’s ATO.
A core principle of FedRAMP is “do once, use many times,” meaning CSOs need only complete FedRAMP authorization once in order to sell to any federal agency. This same principle extends to inheritance. If a CSO leverages an authorized system—like Okta—that system doesn’t need to be reassessed, nor does the CSO have to provide information about how the leveraged service is performing since that information is found in the System Security Plan (SSP).
The impact of inheriting through Okta
Engaging Okta as the identity provider for your organization allows you to inherit from Okta’s security posture, and by extension, makes the FedRAMP process less burdensome.
Leveraging Okta’s Authority to Operate will reduce the number of controls you have to complete in-house, and provides information that is used to partially meet other controls via inheritance. For example, Okta’s security around identity and Multi-Factor Authentication will already be met, so all you have to do is implement Okta correctly.
This means your security team can skip spending time on things like continued security control maintenance and preparing for audits, and dedicate more time conceptualizing and crafting the appropriate security infrastructure for your organization.
But will Okta meet my organization’s FedRAMP standards?
Many organizations already inherit FedRAMP through Okta, including Blackboard and ZScaler. By adopting our products and services, these organizations have been able to deliver their own offerings to federal agencies.
It’s important to note that it’s easier to inherit controls from CSOs with a higher or the same impact level that your organization is attempting to achieve. Thankfully, Okta is currently classified as a FedRAMP Moderate or IL2 (impact level 2) CSO, and is working towards getting its FedRAMP+ classification (IL4), which is tailored for the Department of Defense.
To get started on your inheritance journey or to just get your questions answered, contact us here. To learn more about becoming FedRAMP compliant with Okta, read ourblog, How to Be FedRAMP Compliant with Okta, or our whitepapers, Inheriting from Okta’s FedRAMP Authorization and Setting Up Your Okta Org for FedRAMP Compliance.