Coalfire FedRAMP Assessment Frequently Asked Questions
Coalfire has compiled answers to frequently asked questions about the FedRAMP program and security assessment process. Our list of FAQs will grow over time, so please bookmark this page for future reference.
If you don't find an answer to a question you are looking for, please submit your question below and we will respond.
FedRAMP Overview
What is FedRAMP?
What is a third party assessment organization (3PAO)?
What kinds of services does a 3PAO provide?
What is the FedRAMP process?
Is a 3PAO FedRAMP assessment required every year?
At the end of the process what document or credential does my organization receive to show to customers we have gone through this process?
Are services like manual penetration tests, social engineering or attack simulation required as part of this process?
What is the JAB?
FISMA vs. FedRAMP
What are the top-level differences between FedRAMP and FISMA assessments?
FISMA assessments vs. FedRAMP assessments – A more in-depth comparison
Will FedRAMP assessments replace FISMA assessments?
What is a low and moderate impact system? What is the process for high impact systems?
ATO Related Questions
How long will the process take to achieve a Provisional ATO? How long does the FedRAMP assessment process take?
Does a FedRAMP Provisional ATO expire after a set time? Are there periodic “upkeep” assessments in order to maintain the Provisional ATO?
My organization received an ATO with a government agency for a FISMA assessment? How are we affected?
If I am a GSA BPA ATO grantee, do I have to go through FedRAMP assessment process?
Does the Provisional ATO allow us to work with any federal agency in the US government?
If we are awarded a provisional ATO and we later need to add controls to the security framework, do we have to resubmit to the entire FedRAMP Assessment process?
If I have an ATO from a government agency for cloud services, is my level of effort to go through a FedRAMP assessment the same, reduced or greater?
Determining if FedRAMP is right for your organization
Is FedRAMP right for my organization?
How much will a FedRAMP 3PAO assessment cost? Is it fixed or flexible?
Can I work with multiple 3PAOs?
Can a 3PAO help me with preparing documentation and conduct an assessment?
How soon will the government be moving data to authorized FedRAMP CSPs?
Are portions of the FedRAMP assessment process able to be done remotely?
What mobile device implications should we be considering that may access data within government cloud information? Should CSPs prepare guidance on what mobile device applications must require as a baseline?
FedRAMP Overview
What is FedRAMP?
FedRAMP is a government program which requires cloud service provider (CSP) organizations to conduct an independent security assessment to determine if CSPs meet a minimal set of security requirements and controls management to be eligible to host government data. FedRAMP was developed as a “do once, use many” framework to establish a repository of eligible CSP organizations, which have been awarded a provisional authority to operate (ATO) upon completion of a successful FedRAMP assessment. The government can then select to host data with an authorized CSP in an effort to save taxpayer expense on government IT infrastructure. You can read more about the
FedRAMP assessment process.
What is a third party assessment organization (3PAO)?
3PAO is a third party assessment organization. As part of the requirements for the FedRAMP program each CSP must select and work with a FedRAMP accredited 3PAO to assess the security and controls management for the environment being made available to host government data. Activities related to security testing, such as vulnerability scans, must be conducted by the selected 3PAO.
3PAOs went through an evaluation process in which they will have demonstrated technical competence with FISMA assessments and independence in quality control and management in accordance with ISO standards.
What kinds of services does a 3PAO provide?
The primary role of the 3PAO is to perform initial and periodic assessments of CSP systems per FedRAMP requirements, provide evidence of compliance and play an on-going role in ensuring CSPs meet requirements.
Some 3PAO organizations may also offer advisory services, helping prepare organizations for the FedRAMP process. All 3PAO organizations must strictly adhere to independence requirements when offering advisory or assessment services.
What is the FedRAMP process?
The
FedRAMP process (GSA link) is a more formal and rigorous process with each stage requiring approval from the FedRAMP JAB before moving on to the next step. The steps can be broken down into a few broad components; which are listed below.
-
Conducting a FedRAMP Security Assessment , as performed by an accredited 3PAO
-
Obtaining and leveraging a provisional Authority to Operate (ATO) to be eligible for selection to host government data
-
Maintain your authorization through Continuous Monitoring/Ongoing Assessment & Authorization activities
The
GSA website (link to GSA) provides greater detail as to the specifics for each step on their website for the FedRAMP program.
Is a 3PAO FedRAMP assessment required every year?
While it is the ultimate responsibility of the CSP to adhere to the FedRAMP Ongoing Assessment & Authorization (or Continuous Monitoring) process requirements, the CSP may use their original 3PAO, or they may choose a different 3PAO to satisfy the annual
FedRAMP security assessment requirement.
At the end of the process what document or credential does my organization receive to show to customers we have gone through this process?
The completion of the FedRAMP authorization process results in a provisional ATO with government agencies for cloud services. In addition to being included in a FedRAMP authorized list of eligible CSPs from which government agencies can select from, CSPs will also receive FedRAMP authorized credentials (eg. logos) to display on their website and in documentation. They will state “FedRAMP Agency – Authority to Operate” for granted agency ATOs. For those that receive a provisional ATO for their service, they can display a logo that states “FedRAMP JAB – Provisional ATO”.
Are services like manual penetration tests, social engineering or attack simulation required as part of this process?
Yes. The security assessment will include infrastructure, database, web application and other scans leveraging manual procedures and/or automated tools.
What is the JAB?
The JAB stands for Joint Authorization Board and is made up of a few government departments. The JAB consists of the General Services Administration (GSA), Department of Homeland Security (DHS) and the Department of Defense (DoD). These agencies work closely with the Office of Management and Budget Policy (OMB), the CIO Council and the National Institute of Standards and Technology (NIST), but the JAB consists of GSA, DHS and DoD.
FISMA vs. FedRAMP
What are the top-level differences between FedRAMP and FISMA assessments?
|
FISMA |
FedRAMP |
|
The FISMA legislation requires all commercial organizations working with government agencies, their departments and contractors to go through a FISMA assessment process. |
The FedRAMP assessment process is only for Cloud Service Provider organizations and their subcontractors. |
|
Framework: FIPS 199, 200 & NIST 800-53 rev.3 |
Framework: FIPS 199, 200 & NIST 800-53 rev.3 |
|
Number of Controls (for moderate impact): 252 |
Number of Controls (for moderate impact): 297 |
|
3PAO is not required to conduct assessment |
3PAO is required to conduct assessment |
|
Awarded Agency ATO is leveraged for one government agency |
Awarded Provisional ATO is leveraged for multiple government agencies |
|
Do once, use once |
“Do once, use many” |
|
The FISMA assessment is driven by a government agency, which approves and issues an Agency ATO to do only work with that agency. |
A more formal and rigorous assessment and certification process - based on FISMA assessment plus additional procedures and rules specific to cloud services - where the FedRAMP JAB approves and issues a provisional ATO. |
|
Agency ATOs awarded as a result of a FISMA assessment can be maintained for approximately the next 2 ½ years; after which it is expected all IT certification assessments will be the FedRAMP process. |
No current Provisional ATOs are active through the FedRAMP process. The first FedRAMP certifications are anticipated in Q4 2012. |
FISMA assessments vs. FedRAMP assessments – A more in-depth comparison
Both FISMA assessments and FedRAMP assessments are federal IT security programs that share similar controls frameworks designed to adequately safeguard information systems and assets, for government data, that result in an authority to operate (ATO); but that’s where the similarities end. The organizations which need a FedRAMP or FISMA assessment vary (some may need both) and the process to achieve the ATO is very different. A more in-depth comparison can be found in our document
FISMA vs. FedRAMP (PDF on the Coalfire site).
Will FedRAMP assessments replace FISMA assessments?
It is expected that by 2014, the FedRAMP process will be the only assessment and approval process that any organization must go through to receive a provisional ATO with government agencies. As part of the
cloud first policy (CIO.gov site), cloud service providers are the first organizations mandated to go through this process in an effort to consolidate government IT infrastructure for low-impact and moderate-impact systems as they relate to confidentiality, integrity and availability.
What is a low and moderate impact system? What is the process for high impact systems?
The impact level of a system is determined by a formula that calculates the value of confidentiality, integrity and availability of a system. Depending on how the equation works out, systems are assigned an impact category. The current FedRAMP initiative is to move low-impact and moderate-impact level systems to the cloud. High-impact systems will be addressed once the FedRAMP process for low- impact and moderate-impact proves out.
ATO Related Questions
How long will the process take to achieve a Provisional ATO? How long does the FedRAMP assessment process take?
Both FISMA assessments and FedRAMP assessments involve the documentation and testing of the cloud environment against the number of controls designated by the assessment type. To some degree it depends. With FedRAMP, as it is a more formal process to complete, each
stage is gated by the JAB requiring approval at each stage prior to moving on to the next step. Approval at each stage in the process can increase your total time to achieve a provisional ATO.
Does a FedRAMP Provisional ATO expire after a set time? Are there periodic “upkeep” assessments in order to maintain the Provisional ATO?
As part of the FedRAMP requirements there is a Continuous Monitoring and Ongoing Assessment & Authorization process with activities that must be completed to maintain the security authorization. Some activities must be completed by the CSP and other activities must be completed by a 3PAO.
My organization received an ATO with a government agency for a FISMA assessment? How are we affected?
FedRAMP does not affect your ability to continue doing business with the federal government unless your customer (a government Agency) requires you to apply for and proceed through the FedRAMP process.
NOTE: “FedRAMP is mandatory for Federal Agency cloud deployments and service models that meet the criteria for a low and moderate risk impact level system. Private cloud deployments intended for single organizations and implemented fully within Federal facilities are the only exception. Additionally, each year Executive departments and agencies must submit to the Federal CIO a listing of all existing cloud services that do not meet FedRAMP requirements with the appropriate rationale and proposed resolutions. Once FedRAMP is operations, Federal Agencies have 2 year to ensure that currently implemented cloud services or those services in an active acquisition process meet FedRAMP requirements.” Source: GSA FedRAMP FAQs- http://www.gsa.gov/portal/category/102439
If I am a GSA BPA ATO grantee, do I have to go through FedRAMP assessment process?
Your current GSA Blanket Purchase Agreement (BPA) ATO status does not affect your ability to continue doing business with the federal government unless your customer (Agency) requires you to apply for and proceed through the FedRAMP process.
The GSA BPA ATO will not transfer or “grandfather” an organization into a FedRAMP Provisional ATO. The organization must proceed through FedRAMP as a new, independent process.
Note: “FedRAMP is mandatory for Federal Agency cloud deployments and service models at the low and moderate risk impact levels. Private cloud deployments intended for single organizations and implemented fully within Federal facilities are the only exception. Additionally, each year Executive departments and agencies must submit to the Federal CIO a listing of all existing cloud services that do not meet FedRAMP requirements with the appropriate rationale and proposed resolutions. Once FedRAMP is operational, Federal Agencies have 2 years to ensure that currently implemented cloud services or those services in an active acquisition process meet FedRAMP requirements.” Source: GSA FedRAMP FAQs- http://www.gsa.gov/portal/category/102439
Does the Provisional ATO allow us to work with any federal agency in the US government?
The Provisional ATO awarded to the CSP at the end of the FedRAMP authorization process makes that CSP eligible to do business with any government agency seeking cloud hosting services.
If we are awarded a provisional ATO and we later need to add controls to the security framework, do we have to resubmit to the entire FedRAMP Assessment process?
Not necessarily. It is expected that changes will occur within the system environment either as enhancements or as part of a Plan of Action and Milestone (POA&M) process to address identified/known control gaps. The Ongoing Assessment and Authorization (OA&A) will include changes within scope.
Major changes to the system Authorization Boundary and interconnected systems may require a resubmittal under FedRAMP.
If I have an ATO from a government agency for cloud services, is my level of effort to go through a FedRAMP assessment the same, reduced or greater?
CSPs with an existing Agency ATO for cloud hosting services may have a lower level of effort in conducting a FedRAMP security assessment, provided that the Authorization Boundary of the environment has not changed from what was originally assessed for the FISMA authorization.
If the Authorization Boundary has changed or a new environment was created, then your organization may want to consider pre- assessment or advisory services to discover your organizations readiness for the full FedRAMP assessment. These will help to define the Authorization Boundary, policies and major gaps which if unidentified may increase FedRAMP JAB back-and-forth if you just went into the FedRAMP security assessment.
Determining if FedRAMP is right for your organization
Is FedRAMP right for my organization?
The CSP’s customer (government agency) should provide guidance to the CSP. A government agency that is satisfied with a FISMA assessment (of their CSP) may be happy maintaining FISMA authorization for the next 2 ½ years. FedRAMP will probably replace FISMA after that (by expanding the assessment process to include other types of commercial organizations than just CSP).
If your organization is a Cloud Service Provider and your organization makes a strategic decision to continue hosting government data or would like to make your organization eligible to host government data in the future and depending on if you have a government agency as a customer, then a FedRAMP assessment is what you will want to pursue. In addition there is a checklist of common controls that CSPs will need to meet and manage as part of the FedRAMP assessment process. Reviewing this checklist (screenshot below) against your ability to meet them will be a good place to start in evaluating if your organization is ready for an assessment.
Source: Guide to Understanding FedRAMP | Table 3-1. Preparation Checklist - http://www.gsa.gov/graphics/staffoffices/Guide_to_Understanding_FedRAMP_061312_508.pdf
How much will a FedRAMP 3PAO assessment cost? Is it fixed or flexible?
There is no requirement for a 3PAO to choose a fixed fee model. Organizations have a right to negotiate terms on a case-by-case basis.
The FedRAMP 3PAO assessment costs will vary and depend on criteria such as (but not limited to):
-
A clearly defined and accurate system Authorization Boundary
-
The size and complexity of the information system that is designated within the Authorization Boundary
-
The completeness and accuracy of existing documentation (System Security Plan, Policies, Procedures, etc.)
Can I work with multiple 3PAOs?
Yes, but you may not use more than one 3PAO for your FedRAMP security assessment.
Can a 3PAO help me with preparing documentation and conduct an assessment?
The 3PAO assessment team may not provide documentation preparation support. They may provide general guidance that would apply to any CSP.
For CSP organizations seeking documentation preparation support, they may want to engage in advisory services from a qualified service provider. Coalfire has independent advisory and assessment teams available to assist organizations through various phases of the FedRAMP process.
How soon will the government be moving data to certified FedRAMP CSPs?
The CIO of each federal agency is required to identify three systems to move to the cloud, 18 months from the launch of FedRAMP. One of those three systems must be moved within 12 months of project start. Based on the timeframe of the FedRAMP launch, we expect this to mean one system moved by 2013 and two others by 2014 – for each government agency. Coalfire expects that the JAB will begin listing the first certified CSPs awarded with a provisional ATO by the end of 2012.
Are portions of the FedRAMP assessment process able to be done remotely?
Yes. This may vary by 3PAO and CSP.
The CSP may request that the assessment be performed remotely. However, certain tasks such as datacenter walkthroughs must be performed in person by the 3PAO.
What mobile device implications should we be considering that may access data within government cloud information? Should CSPs prepare guidance on what mobile device applications must require as a baseline?
NIST 800-53 v3 provides guidance and considerations for mobile devices that may access data within the information system. As with any device and applications (mobile or otherwise), CSPs should implement necessary controls to protect data.