The Federal Risk and Authorization Management Program (FedRAMP) is the process by which cloud service providers (CSP) obtain an authorization to sell as-a-service solutions to agencies and organizations of the U.S. federal government. This process, predicated on the federal government’s traditional Authorization to Operate (ATO) process, is much more difficult than many initially think.
While the ATO process is based on the NIST Risk Management Framework (RMF), it is implemented differently by each agency. FedRAMP was intended to change that for the cloud environment by standardizing the process for as-a-service solutions, whether infrastructure (IaaS), software (SaaS), or platform (PaaS).
The first hurdle – establishing market demand
Despite the diligent efforts of the FedRAMP program management office (PMO), misconceptions remain. One of the more ill-conceived notions is that FedRAMP is a checkbox security process that results in a license to sell throughout the federal government. Many don’t realize the considerable cost and time it takes to get a FedRAMP ATO or provisional ATO (P-ATO).
Many struggle even to get into the program. Any organization contemplating the FedRAMP authorization process will do well to first conduct the appropriate due diligence on customer demand. While Xacta has helped organizations streamline the FedRAMP process, often the greatest hold-up is a lack of agency sponsorship, which is necessary for ATO, or prioritization by the Joint Advisory Board (JAB), which is necessary for a P-ATO, primarily due to a lack of customer demand.
Xacta for FedRAMP
Once market demand is proven and agency sponsorship established, Xacta for FedRAMP will help you move through the process as quickly as possible. It will help you understand the process and assist in collecting the necessary information to build the body of evidence to support a FedRAMP P-ATO or ATO. Xacta provides a simple way to ingest information, automate as much data collection and testing as possible, and automatically generate documentation needed for the authorization. Of the fifteen documents that a CSP needs to build for their FedRAMP submission, the Xacta platform can automatically generate thirteen. The remaining two, the User Guide and the Separation of Duties Matrix, are authored by the product team.
Xacta supports a robust inheritance model, which enables organizations to consume and provide fully shared, partially shared, or hybrid controls. Inheritance can be a force multiplier in streamlining the FedRAMP process when leveraging a control provider’s shared controls along with their recommended controls implementation (RCI). This means that solutions can quickly and easily take advantage of shared and fully inherited controls from providers that leverage Xacta. Using this method, many Xacta users have reduced the length of the ATO process from eighteen months to a few weeks. And Xacta’s continuous monitoring features provide a major advantage in maintaining a FedRAMP authorization.
Getting a FedRAMP ATO or P-ATO is a major achievement, but keeping it is critical to success. An organization needs to continually evidence performance of the necessary updates or patches, scanning for vulnerabilities, and reviewing of logs for potential threats. Xacta helps automate these activities to maintain a FedRAMP authorization.