Most people who have spent any time researching the FedRAMP authorization process know there are two routes for a Cloud Service Provider (CSP) to become FedRAMP authorized: Agency and Joint Authorization Board (JAB). Because of the limited number of CSPs selected each quarter for the JAB authorization process (FedRAMP Connect), many CSPs follow the agency authorization path. In fact, 77% of authorized CSPs have an Agency Authorization to Operate (ATO).
The first step in achieving FedRAMP Agency Authorization involves building a relationship with an agency that is a current or potential consumer of a CSP’s Cloud Service Offering (CSO). A CSP’s internal sales team can usually identify potential agency sponsorship opportunities. Once an agency agrees to sponsor the CSP’s CSO, the Agency Authorizing Official (AO) must send or be included on an email to firstname.lastname@example.org (FedRAMP Program Management Office [PMO]). This email should list the CSP and CSO name, designate points of contact for both the agency and CSP, and attest that the agency is working with the CSP to grant an ATO within 12 months for Low, Moderate, or High authorization or within 3 months for FedRAMP Tailored, Those descriptors indicate the impact level at which the agency will authorize the service offering. It is important to note that the full 3PAO assessment must be planned for no more than 6 months from the date of the email. Upon receipt, the FedRAMP PMO will schedule a formal kickoff meeting with the CSP, sponsoring Agency, and FedRAMP PMO representatives.
The kickoff meeting is an opportunity for the CSP to detail their services, authorization boundary, security control gaps and associated remediations, and the Work Breakdown Structure (WBS) with associated milestones. The FedRAMP PMO provides the CSP with a template for the presentation and the Agency Authorization Kickoff Briefing Guidance document and requires the CSP to submit the presentation at least one week prior to the meeting. It is highly recommended that the CSP review the guidance document in preparation for this meeting. While it can seem intimidating, knowing the main points to prepare and what to expect from the meeting should leave CSPs at ease and well prepared for the meeting.
Background and Function of Cloud Service
First, CSPs will provide the background information about the service. These are the simple details of the offering that will provide a foundation and high-level understanding prior to moving into the deeper technical details later in the briefing. Those items include:
- Cloud Service Offering (CSO) Name (what are you calling your product offering?)
- Service Offering Description (what is the platform and what does it do?)
- FIPS 199 Categorization (Low, Moderate, or High Impact)
- Service Model (SaaS, PaaS, IaaS)
- Deployment Model (Public, Community, Hybrid)
- Leveraged Systems (IaaS, 3rd Party services)
The leveraged systems will be an important part of the discussion as the agency and PMO representatives will be keenly interested in all connections made and services consumed that are outside the CSP’s authorization boundary. Leveraged systems may include the IaaS the offering resides on (if it is a PaaS or SaaS solution) and any third-party cloud solutions utilized that will process, store, or transmit Federal data or system or security related data. The discussion of the leveraged systems will naturally transition to the Authorization Boundary.
Authorization Boundary Diagram and Discussion
Presentation of a well-structured, detailed diagram depicting all components and subdivisions of the cloud offering is critical to providing a visual representation to the agency and PMO because it makes the offering more tangible and will help foster a better understanding of the service. The agency and PMO look for the following items in the Authorization Boundary diagram:
- Alignment with key concepts outlined in the FedRAMP Authorization Boundary Guidance
- A prominent RED border that depicts all services and system components in the authorization boundary
- All ingress/egress points depicted
- Connections to external systems and services that are used to manage the system or provide functionality for the environment. This includes:
- System interconnections
- Customer connections to the CSO
- Application Program Interfaces (APIs)
- Security/management tools
- External cloud services
- Corporate shared services
- Underlying PaaS/IaaS systems
- Legend (this should also be used to show external services that are/are not FedRAMP authorized.
External Services Not FedRAMP Authorized
Data that is traversing in and out of the authorization boundary is a very important topic, especially for the PMO. The PMO and Third-Party Assessment Organization assessors (3PAO) will pay very close attention to connections to external cloud services, corporate shared services, and services from the IaaS layer used by the CSP. The best practice is to use only services that are FedRAMP authorized at the same level (or higher) than the authorization the CSP is pursuing. For all external services used by the CSP, there are several things to know and be prepared to discuss.
- What data types are being transmitted, processed, and/or stored by each external service?
- What is the sensitivity level of the data? How would a compromise of the external service affect the Confidentiality, Integrity, or Availability (CIA) of your cloud service and/or the federal data?
- What mitigations and compensating controls are in place to lower the risk for any services not FedRAMP authorized?
- For any non-authorized services, does the CSP have plans to bring those into the authorization boundary or migrate to an authorized service?
While there is no explicit requirement that a CSP use only FedRAMP authorized external services, the PMO, in agreement with their published boundary guidance, is very particular about customer data and system or security related data. The focus is on what data types are going to any external services that are outside the authorization boundary. Customer data should either stay in the authorization boundary or be going to a FedRAMP authorized external service. The same approach should be taken for any security and vulnerability information you are considering sending outside the authorization boundary. Other data types like customer metadata, application performance, and system health data are more flexible, but CSPs must be prepared and ready to discuss all the data types that are being transmitted to the external service.
Also, CSPs should be prepared to show a data flow diagram that is easy to read and interpret. The diagram should depict how and where data sets are traversing both inside the environment and to all external systems. The data flow diagram should identify where data is stored, processed, and transmitted. This includes ports, protocols, and services in use. Finally, be sure to annotate all points of access to data (privileged and non-privileged) for both customers and CSP administrative personnel.
Critical Security Capabilities The next portion of the presentation is where the CSP will dive into even greater detail about how their offering meets certain critical security capabilities. For each of the areas outlined below, the CSP must be prepared to discuss gaps, alternative implementations, customer responsibilities, and controls that are not applicable to the CSP service offering:
- Access control
- Vulnerability management
- Configuration management
- Identification and authentication
- Incident response
- Contingency planning
- Systems and communication protection
Work Breakdown Structure and Milestones The final portion of the presentation for the CSP is the WBS. The CSP will already have developed a relationship with their sponsoring agency, which is necessary to complete the WBS. The PMO will be looking for the CSP to present the established timeline in the WBS that is provided in the briefing template. It includes timelines for:
- Completion of the SSP and attachments
- Security Assessment Plan (SAP) delivery and remediation period
- Final Security Assessment Report (SAR) delivery and Plan of Action & Milestones (POA&M) updates
- SAR debrief
- Agency Package Review and ATO decision
- PMO Review and FedRAMP Marketplace decision
While it can seem daunting and difficult, the FedRAMP process and the kickoff meeting are neither if you come prepared. Demonstrating that you know your environment and the current state of preparedness for the FedRAMP requirements will go a long way with the agency sponsor and the PMO. You will quickly solidify your In-Process status and move to the next phase of your FedRAMP authorization journey!
For more information on our FedRAMP advisory solutions please visit https://www.coalfire.com/Solutions/Audit-and-Assessment/FedRAMP/Consulting-Advisory or please contact 3PAO@coalfire.com for more information on how we can help.