What is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP®) is a U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP aims to accelerate the adoption of secure cloud solutions across federal agencies.

For federal agencies seeking technology, particularly cloud services and products, FedRAMP plays a crucial role in ensuring that these offerings meet stringent security standards and are suitable for handling sensitive government data.

Why is FedRAMP Authorization important for government and defense industrial base customers?

FedRAMP is a U.S. government-wide program that was designed to ensure all federal information systems, aside from national security systems, meet the requirements of the Federal Information Security Management Act (FISMA).

For government agencies and the defense industrial base, FedRAMP Authorized status is important because it ensures the cloud services they use meet stringent security requirements, which is vital when handling sensitive government data. By using a FedRAMP Authorized service, agencies are also in compliance with federal regulations for cloud services.

Why should customers care if a cloud service is FedRAMP Authorized?

Cloud services customers, especially those who are government agencies or businesses that handle government data, should care about FedRAMP Authorization for a few reasons:

  • It reduces the risk of security breaches by ensuring that cloud service providers adhere to a high level of cybersecurity standards.
  • It saves time and resources since the authorization process involves a detailed examination of the provider's security measures, and once a service is authorized, that authorization can be used across government agencies.
  • It promotes transparency between the cloud service provider and the customer as the providers are required to continuously monitor and report their security measures.

What are the benefits to customers of trusting their data to a FedRAMP Authorized system?

  • Enhanced Security: FedRAMP certified providers have gone through rigorous security assessment, which ensures that they implement strong security measures to protect customer data.
  • Compliance: For government agencies and contractors, using a FedRAMP certified provider ensures they remain in compliance with federal regulations.
  • Consistent Security Standards: FedRAMP provides consistent security standards for all cloud services, ensuring a uniform level of protection across all platforms.
  • Cost and Time Savings: The "do once, use many times" framework reduces duplication of effort and saves time and money for the agencies that need to perform their own security assessments.
  • Continuous Monitoring: Providers are required to continuously monitor their security controls and report the results, ensuring ongoing security assurance.
  • In short, customers who trust their data to a FedRAMP Authorized system can have greater peace of mind that their data is protected by stringent security measures that meet or exceed federal standards.

FedRAMP Authorized cloud services are typically required by:

  • U.S. Federal Government Agencies: All federal agencies are required to use FedRAMP Authorized cloud services for their cloud-based IT deployments at or above the low and moderate risk impact levels. It ensures the security of government data in the cloud and compliance with existing regulations.
  • Government Contractors: Companies that have contracts with the federal government, especially those handling sensitive information or operating on behalf of a government agency, often need to use FedRAMP Authorized cloud services. These might include defense contractors, research organizations, or consultancy firms.
  • State and Local Governments: Although not formally required to use FedRAMP Authorized services, many state and local government entities choose to do so. FedRAMP can provide an extra level of assurance regarding the security controls of the cloud services these governments use.
  • Healthcare Providers: Some healthcare organizations that handle sensitive patient data (which may be subject to federal regulations like HIPAA) may opt to use FedRAMP Authorized cloud services as a part of their overall risk management strategy.
  • Educational Institutions: Universities and other educational institutions that receive federal funding, especially for research involving sensitive data, may also need or choose to use FedRAMP Authorized cloud services.

FedRAMP framework

The National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) is a set of guidelines that provide a process that integrates security, privacy, and risk management activities into the system development life cycle.

The RMF, as detailed in NIST Special Publication 800-37, is used by federal agencies in the United States to assess and manage risks, and to certify and accredit IT systems to ensure they meet a sufficient level of cybersecurity readiness before they go live.

The RMF consists of six steps:

  • Categorize the system: This involves understanding the system and the information processed, stored, and transmitted by that system. The system is then categorized based on its impact level (low, moderate, or high).
  • Select security controls: Based on the categorization, security controls are selected from NIST Special Publication 800-53. This document provides a catalog of security and privacy controls that are implemented to protect the system from threats.
  • Implement security controls: The selected security controls are implemented within the system. Detailed documentation is developed that describes how the controls are deployed within the system and its environment of operation.
  • Assess the controls: The implemented controls are assessed to determine if they are implemented correctly and are producing the desired outcome with respect to meeting the security requirements for the system.
  • Authorize the system: If the system is found to be sufficiently secure during the assessment, an authorizing official will issue an Authorization to Operate (ATO). If not, remediation actions are taken.
  • Monitor the controls: Continuous monitoring activities are conducted to track changes to the system, ensure the continued effectiveness of the controls, and maintain the system’s security posture.
  • The RMF's ultimate goal is to help organizations understand and manage risks associated with the use of their systems, thereby ensuring the integrity, confidentiality, and availability of their information.

Interconnection security agreement

An Interconnection Security Agreement (ISA) is a document that specifies the technical and security requirements for planning, establishing, maintaining, and discontinuing the connection(s) between two or more systems or networks under different operational authorities. It's essentially an agreement between organizations that operate interconnected IT systems about how to secure the data that's being exchanged.

ISAs typically include details such as:

  • The Systems Involved: The systems or networks that are being interconnected.
  • The Data Being Transferred: What data is being exchanged between the systems.
  • Security Procedures: The security controls and procedures that each organization will implement to protect the data.
  • Roles and Responsibilities: The roles and responsibilities of each party, including who is responsible for the security of the data while it's being transmitted.
  • Incident Handling: How security incidents are reported and handled, and how each party will respond to incidents.
  • Termination Procedures: The steps that will be taken to securely terminate the interconnection when it is no longer needed.

An ISA is part of the risk management approach outlined in the NIST Special Publication 800-47, "Security Guide for Interconnecting Information Technology Systems". It's used in conjunction with a Memorandum of Understanding or Agreement (MOU/A), which is a high-level document that specifies the terms and responsibilities of all parties involved in the interconnection.

What are FedRAMP requirements?

The FedRAMP process, including the designations and the FIPS data risk categorizations, as well as the Department of Defense (DoD) Impact Levels.

FedRAMP Authorization Process:

  • Initiation and Pre-Assessment: A Cloud Service Provider (CSP) expresses their intent to become FedRAMP Authorized and prepares by understanding the requirements and implementing necessary controls
  • Readiness Assessment Report (RAR): At this point, the CSP works with a Third Party Assessment Organization (3PAO) to create a Readiness Assessment Report, which details the CSP's readiness to undergo a full security assessment. If the FedRAMP Program Management Office (PMO) reviews and accepts this report, the CSP is granted the FedRAMP Ready status.
  • System Security Plan (SSP) Creation: The CSP prepares an SSP, outlining how the security controls required by FedRAMP are implemented in their system.
  • Security Assessment Plan (SAP) Creation: The SAP details the planned security control assessment. After this, the 3PAO begins testing based on the SAP.
  • Security Assessment Report (SAR) Creation: After the 3PAO conducts security testing, it creates the SAR, which details the results of the security assessment.
  • Remediation of Weaknesses: The CSP resolves the weaknesses identified in the SAR.
  • FedRAMP In Process: If an agency or the Joint Authorization Board (JAB) accepts the risk presented in the SAR and is actively working with the CSP towards a FedRAMP Authorization, the CSP is granted FedRAMP In Process status.
  • Authorization Package Review: The 3PAO reviews the final authorization package, which includes the SSP, SAP, SAR, and a Plan of Action and Milestones (POA&M) that details how the CSP plans to address any remaining weaknesses.
  • Provisional Authority to Operate (P-ATO) or Authority to Operate (ATO): If the package is accepted by the JAB or a federal agency, the CSP is granted a P-ATO (from the JAB) or an ATO (from an agency), which marks the CSP as FedRAMP Authorized.
  • Continuous Monitoring: The CSP must continually monitor and report on their security controls to maintain their FedRAMP Authorized status.

FIPS Data Risk Categorizations

The Federal Information Processing Standards (FIPS) Publication 199 categorizes information systems based on the risk to organizational operations, organizational assets, and individuals should there be a loss of confidentiality, integrity, or availability.

  • Low-Impact: The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
  • Moderate-Impact: The loss could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
  • High-Impact: The loss could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

FedRAMP and DoD Impact Level Authorization Levels

FedRAMP authorizes systems at the Low, Moderate, and High impact levels as defined by FIPS 199.

For Department of Defense systems, the Impact Level Authorization goes from IL2 to IL6:

  • IL2 allows for non-controlled unclassified information.
  • IL4 allows for controlled unclassified information.
  • IL5 allows for higher-level controlled unclassified information.
  • IL6 allows for classified information up to secret.

These levels reflect the sensitivity of the data that the system will be handling, and higher levels require more stringent security controls. The processes for achieving these authorizations are similar to FedRAMP, but with additional requirements specific to the Department of Defense.

What is FedRAMP compliance and how can I validate it for Cisco products?

The goal of FedRAMP is to ensure that all cloud services used by federal agencies meet specific security requirements, making it a valuable tool for agencies to validate data security.

Here's how federal and state agencies can leverage FedRAMP compliance to validate data security:

Standardized Security Assessments: FedRAMP streamlines the security assessment process by providing a set of standardized security requirements and assessment procedures that all cloud service providers (CSPs) must follow. This makes it easier for agencies to compare different CSPs and ensure that they all meet the same security standards.

  • Third-Party Assessments: As part of the FedRAMP process, CSPs must undergo an independent security assessment conducted by a FedRAMP accredited third-party assessment organization (3PAO). These assessments provide an additional level of validation and help to ensure that the CSP's security controls are properly implemented and effective.
  • Continuous Monitoring: FedRAMP requires CSPs to continuously monitor their security controls and report any changes or issues to the agency. This provides agencies with ongoing visibility into the security posture of their cloud services.
  • Reuse of Assessments and Authorizations: Once a CSP has received a FedRAMP Authorization, that authorization (and the associated security assessment documentation) can be reused by any federal agency. This allows agencies to leverage the work already done by others and avoid the time and cost of conducting their own security assessments.

Here's a step-by-step guide on how to find FedRAMP Authorized cloud solutions:

Customers can find a list of cloud service providers (CSPs) that have achieved FedRAMP Authorization on the FedRAMP Marketplace, which is available on the official FedRAMP website.

  • Visit the official FedRAMP website.
  • Click on the "Marketplace" link from the main navigation.
  • This will take you to a page where you can see a list of all FedRAMP Authorized cloud services.
  • You can filter the list based on the service provider name, cloud service offering, agency sponsorship, and authorization type (FedRAMP Authorized, FedRAMP In Process, FedRAMP Ready).
  • Clicking on the name of a CSP will take you to a page with more information about the provider and its cloud services, including the date of the authorization, the sponsoring agency, and the independent assessor.

FedRAMP vs. StateRAMP

While FedRAMP was designed for federal agencies, it's also increasingly being used by state and local governments as a way to vet the security of cloud services. In addition to leveraging the benefits described above, state agencies can use tools like StateRAMP, which is based on the FedRAMP program and designed to meet the specific needs of state and local governments.

Ultimately, the use of FedRAMP helps agencies to ensure that they're using cloud services that meet a high standard of security, and it provides a clear and consistent way to validate the security of these services. This can lead to increased confidence in the security of the agency's data and systems, and it can help to ensure compliance with various data protection regulations.

Reach FedRAMP compliance with authorized solutions from Cisco