What is FedRAMP and how will it affect me? Frequently Asked Questions

By Rob Barnes, Federal Practice Lead

Bookmark and Share

The U.S. government's FedRAMP process presents a huge opportunity for cloud service providers to become eligible to host government data.  FedRAMP is designed to shift government data to commercial cloud service providers in an effort to reduce taxpayer expense for government IT infrastructure and to streamline the vendor approval process.

There’s a high level of interest in understanding the program and how it differs from other industry or government-based security assessments. We are receiving questions from non-traditional government vendors asking how to take advantage of this window of opportunity - as well as incumbent organizations navigating their way through the new process.

At Coalfire, an accredited FedRAMP 3PAO, the questions we're getting are across the board. From understanding how the program works, to the advisory and assessment services required, to helping determine if the FedRAMP assessment is right for an organization. From these questions, we created a convenient list of FAQs.

Below you will find a couple of questions that we are frequently asked. Learn more about our FedRAMP 3PAO assessment services.

What is FedRAMP?

FedRAMP is a government program which requires cloud service provider (CSP) organizations to conduct an independent security assessment to determine if CSPs meet a minimal set of security requirements and controls management to be eligible to host government data. FedRAMP was developed as a “do once, use many” framework to establish a repository of eligible CSP organizations, which have been awarded a Provisional Authority To Operate (ATO) upon completion of a successful FedRAMP assessment. The government can then select to host data with an authorized CSP in an effort to save taxpayer expense on government IT infrastructure. You can read more about the FedRAMP assessment process.

What is a third party assessment organization (3PAO)?

3PAO is a third party assessment organization. As part of the requirements for the FedRAMP program each CSP must select and work with a FedRAMP accredited 3PAO to assess the security and controls management for the environment being made available to host government data. Activities related to security testing, such as vulnerability scans, must be conducted by the selected 3PAO.

3PAOs went through an evaluation process in which they will have demonstrated technical competence with FISMA assessments and independence in quality control and management in accordance with ISO standards.

What is the FedRAMP process?

The FedRAMP process (GSA website) is a more formal and rigorous process with each stage requiring approval from the FedRAMP JAB before moving on to the next step. The steps can be broken down into a few broad components; which are listed below.

  1. Conducting a FedRAMP security assessment, as performed by an accredited 3PAO.
  2. Obtaining and leveraging a provisional Authority to Operate (ATO) to be eligible for selection to host government data.
  3. Maintain your authorization through Continuous Monitoring/Ongoing Assessment & Authorization activities.

The GSA website provides greater detail as to the specifics for each step on their website for the FedRAMP program.

FISMA assessments vs. FedRAMP assessments - What are the high-level differences between FedRAMP and FISMA assessments?

The FISMA legislation requires all commercial organizations working with government agencies, their departments and contractors to go through a FISMA assessment process. The FedRAMP assessment process is only for Cloud Service Provider organizations and their subcontractors.
Framework: FIPS 199, 200 & NIST 800-53 rev.4 Framework: FIPS 199, 200 & NIST 800-53 rev.4
Number of Controls (for moderate impact): 252 Number of Controls (for moderate impact): 297
3PAO is not required to conduct assessment 3PAO is required to conduct assessment
Awarded ATO is leveraged for one government agency Awarded Provisional ATO is leveraged for multiple government agencies
Do once, use once “Do once, use many”
The FISMA assessment is driven by a government agency, which approves and issues an Agency ATO to do only work with that agency. FedRAMP is a more formal and rigorous assessment and certification process - based on FISMA assessment plus additional procedures and rules specific to cloud services - where the FedRAMP JAB approves and issues a Provisional ATO.
Agency ATOs awarded as a result of a FISMA assessment can be maintained for approximately the next 2 ½ years; after which it is expected all IT certification assessments will be the FedRAMP process. No current Provisional ATOs are active through the FedRAMP process. The first FedRAMP certifications are anticipated in Q4 2012.

What is a low- and moderate-impact system? What is the process for high-impact systems?

The impact level of a system is determined by a formula that calculates the value of confidentiality, integrity and availability of a system. Depending on how the equation works out, systems are assigned an impact category. The current FedRAMP initiative is to move low-impact and moderate-impact level systems to the cloud. High-impact systems will be addressed once the FedRAMP process for low-impact and moderate-impact proves out.

ATO-Related Questions

How long will the process take to achieve a Provisional ATO? How long does the FedRAMP assessment process take?

Both FISMA assessments and FedRAMP assessments involve the documentation and testing of the cloud environment against the number of controls designated by the assessment type. To some degree it depends. With FedRAMP, as it is a more formal process to complete, each stage is gated by the JAB requiring approval at each stage prior to moving on to the next step. Approval at each stage in the process can increase your total time to achieve a Provisional ATO.

Does a FedRAMP Provisional ATO expire after a set time? Are there periodic “upkeep” assessments in order to maintain the Provisional ATO?

As part of the FedRAMP requirements there is a Continuous Monitoring and Ongoing Assessment & Authorization process with activities that must be completed to maintain the security authorization. Some activities must be completed by the CSP and other activities must be completed by a 3PAO.

My organization received an ATO with a government agency for a FISMA assessment? How are we affected?

FedRAMP does not affect your ability to continue doing business with the federal government unless your customer (a government Agency) requires you to apply for and proceed through the FedRAMP process.

NOTE: “FedRAMP is mandatory for Federal Agency cloud deployments and service models that meet the criteria for a low and moderate risk impact level system. Private cloud deployments intended for single organizations and implemented fully within Federal facilities are the only exception. Additionally, each year Executive departments and agencies must submit to the Federal CIO a listing of all existing cloud services that do not meet FedRAMP requirements with the appropriate rationale and proposed resolutions. Once FedRAMP is operational, federal agencies have two years to ensure that currently implemented cloud services or those services in an active acquisition process meet FedRAMP requirements.” Source: GSA FedRAMP FAQs - http://www.gsa.gov/portal/category/102439

Is FedRAMP right for my organization?

A CSP’s customer (government agency) should provide guidance to the CSP. A government agency that is satisfied with a FISMA assessment (of their CSP) may be happy maintaining FISMA authorization for the next 2 ½ years. FedRAMP will probably replace FISMA after that (by expanding the assessment process to include other types of commercial organizations than just CSP).

If your organization is a Cloud Service Provider and your organization makes a strategic decision to continue hosting government data or would like to make your organization eligible to host government data in the future and depending on if you have a government agency as a customer, then a FedRAMP assessment is what you will want to pursue. In addition there is a checklist of common controls that CSPs will need to meet and manage as part of the FedRAMP assessment process. Reviewing this checklist (screenshot below) against your ability to meet them will be a good place to start in evaluating if your organization is ready for an assessment.

Source: Guide to Understanding FedRAMP | Table 3-1. Preparation Checklist -

How soon will the government be moving data to certified FedRAMP CSPs?

The CIO of each federal agency is required to identify three systems to move to the cloud, 18 months from the launch of FedRAMP. One of those three systems must be moved within 12 months of project start. Based on the timeframe of the FedRAMP launch, we expect this to mean one system moved by 2013 and two others by 2014 – for each government agency. Coalfire expects that the JAB will begin listing the first certified CSPs awarded with a provisional ATO by the end of 2012.

Learn more about our FedRAMP 3PAO assessment services.

Bookmark and Share