Are you a cloud service provider working on a federal contract and need a FedRAMP authorization – but don’t have a sponsor yet?
Acquiring a committed government agency sponsor early in the FedRAMP process is crucial to your success and will ensure a smoother process. A major role for an agency sponsor is to identify which risks they are willing to accept in your Cloud Service Offering (CSO) that may not fully align with FedRAMP requirements.
Once you have partnered with an agency sponsor, they will help schedule a kickoff meeting with your team and the FedRAMP Program Management Office (PMO). You’ll present your CSO, your FedRAMP Customer Success Manager will provide an overview of the FedRAMP process and agency responsibilities, and your sponsor will help to get you on the right page. Here’s a Coalfire blog by Nick Peters explaining in more detail what to expect in this FedRAMP kickoff meeting.
Once this initial briefing with your agency sponsor and the FedRAMP PMO is complete, the next milestone is getting listed as “FedRAMP In Process” – and the steps will vary based on which path you take: Joint Authorization Board (JAB) or Agency.
Since the Agency path is the most common one for Cloud Service Providers (CSPs) to take on their FedRAMP journey, we will start here.
To get listed as “FedRAMP In Process” with an agency, there are several key steps to complete before being listed on the Marketplace. The first and arguably most important step is to provide the FedRAMP PMO with an attestation letter from an agency point of contact that should include the following.
- The CSP name
- The CSO name
- An attestation that the agency is actively working with the CSP to grant an Authority to Operate (ATO) in:
- 12 months for Low, Moderate, and High, or,
- Three months for a FedRAMP Tailored authorization
- The impact level (Low, Moderate, or High) at which the agency will authorize the service offering
- The agency and CSP points of contact who will work with FedRAMP during the authorization process
- The scheduled date for the full assessment, which should be no more than six months from the date of the attestation letter
Timelines are important as the clock starts ticking once listed on the FedRAMP Marketplace. If the package is not submitted within the designated timeframe, the offering is removed from the Marketplace. Once the CSP has the kickoff meeting, the clock starts on both the 6 months to begin an assessment, and the 12 months to get through the ATO process. The FedRAMP Customer Success Manager will point this out in the initial meeting and will ensure that all parties understand these expectations.
Another point to consider is that CSPs should have a conversation as early as possible to ensure schedules and timelines align with their intended Third-Party Assessment Organization (3PAO) as these assessors are often booked ahead several months.
The attestation letter can come in the form of an email or physical letter from the agency point of contact or CSP. In addition to the attestation letter, one of the following must be completed in order to receive the “In Process” status:
- The CSP provides proof of a contract award from the agency for the use of the CSO
- The agency and the CSP demonstrates pre-existing use of the service offering to the PMO (this requirement can be met via an email from the agency point of contact to the PMO)
- The CSO is currently listed on the FedRAMP Marketplace as “FedRAMP Ready”
- The CSP completes a formal kickoff meeting with the agency, FedRAMP PMO, and 3PAO if applicable
Once these steps have been completed, the FedRAMP PMO will review the information provided in the kickoff meeting, and if all is in order, will approve listing the CSP and CSO on the FedRAMP Marketplace as “In Process” within two to three weeks.
If you are following the JAB path, getting the “In Process” designation requires several more steps, but follows the same general flow with a few key distinctions. First, you must go through the FedRAMP Connect process in order to be selected by the JAB. The JAB selects approximately 12 CSPs a year (3 each quarter) to go through the process. The FedRAMP Connect process requires the CSP to put together a business case outlining any current agency use, potential agency use, indirect demand through other CSOs, official requests from an agency to the PMO, and potential use to address national strategy or policy. As part of the prioritization process, CSPs are also required to be become FedRAMP Ready within 60 days of being selected and then must be ready to kick off with the JAB 30 days later, 90 days total from prioritization.
Once selected by the JAB, there are several additional steps to be completed:
- A CSP must achieve the FedRAMP Ready designation within 60 days of being selected by the JAB. The FedRAMP Ready designation shows the CSP has gone through a Readiness Assessment Review (RAR), which serves as the first risk assessment to ensure a CSO does not have any showstoppers and can meet the critical FedRAMP requirements. Part of the RAR involves a 3PAO reviewing a CSP’s partial System Security Plan (SSP), a subset of the FedRAMP controls, and the draft contingency plan, incident response plan, and configuration management plan for the CSO
- A CSP must complete and finalize the CSO's SSP
- The CSP must engage a 3PAO to schedule and complete a formal audit resulting in a Security Assessment Report (SAR)
- The CSP must upload all the required security package materials (SSP, policies, plans, etc.) to the federal document repository OMB MAX
- The CSP completes a formal kickoff meeting with the JAB, FedRAMP PMO, and partnering 3PAO
Once the CSP completes the kickoff meeting, this serves as a go/no-go decision point for the JAB to state whether the CSP gets listed as In Process, and if the partnership with the JAB toward a provisional Authority To Operate (P-ATO) can continue.
It's important for a CSP to understand that while achieving the “In Process” milestone is to be celebrated, it is just the next step in the journey toward a FedRAMP ATO, and that more work will be required ahead.