One of my first interactions with computer security history was a dusty set of books on a shelf in my new office in the late nineties. These books were part of a series—specifically, the US Department of Defense (DoD) Rainbow Series Trusted Computer System Evaluation Criteria (TCSEC) series originally published in the late eighties. The first book was NCSC-TG-006, the Orange Book, A Guide to Understanding Configuration Management in Trusted Systems, Version 1, 3/28/88; the series also included 25 additional guides. (I wonder what the conversation was like when they got through the primary colors and started with NCSC-TG-026, the Hot Peach book, or NCSC-TG-007, the Burgundy Book.)
These books laid the foundation for evaluating the effectiveness of security controls built into automated data processing (ADP) systems, aka computer systems. They established many of the principles we continue to use in modern standards and models today.
The National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) and the Federal Risk and Authorization Management Program (FedRAMP) evolved from these principles, eventually providing a standardized approach to cybersecurity assessment, authorization, and continuous monitoring under the Federal Information Security Modernization Act (FISMA).
The primary purpose of the TCSEC guidelines was to provide guidance throughout the system’s lifecycle, beginning with development and then through decommissioning and configuration management, as well as how to implement controls to protect data that had moved from physical data on paper to automated data that freely moves around the world.
However, today, organizations frequently entrust the custody of their data to Software as a Service (SaaS) providers with control implementation practices that are out of the data owner’s control.
In response to this shift in how data is stored and managed—with a particular focus on ensuring the security of federal information—FedRAMP was established in 2011 under the direction of the Office of Management and Budget and enhanced and codified in law with the passage of the FedRAMP Authorization Act, part of the Fiscal Year 2023 National Defense Authorization Act signed into law December 2022. FedRAMP aims to promote the use of cloud computing products and services that meet stringent security risk and performance-based requirements and help protect US federal unclassified data and operations in the cloud.
Cloud service providers aiming to serve federal government agencies must secure a FedRAMP Authority to Operate (ATO) if they handle federal data. If your clientele includes government agencies and your cloud service meets their mission-critical needs, you’re likely already on the path toward FedRAMP compliance. The first step in this journey is to identify the right path: agency-sponsored Authorization to Operate (ATO) or Joint Authorization Board (JAB) Provisional Authority to Operate (P-ATO)
Agency-sponsored ATO is the most common route (70%), with an agency guiding cloud offerings through the FedRAMP process. Agencies that agree to sponsor a solution commit resources and personnel for tasks like document review, continuous monitoring, and progress tracking. Smaller agencies often rely on their parent agencies for support.
JAB Provisional Authorization, overseen by top federal and US Dept. Of Defense CIOs, involves a standardized selection process due to limited resources. A JAB P-ATO entails strict adherence to FedRAMP controls. Agency ATOs might skip the formal Readiness Assessment and allow for more flexibility in control implementation, depending on agency-specific needs.
Both agency ATOs and JAB P-ATOs require ongoing monitoring and reviews, with the advantage of reusing the authorized FedRAMP package for subsequent agencies, reducing deployment effort.
Since Xacta® has a long history with multiple federal agencies, we are fortunate to be one of the cloud service providers prioritized this year to pursue a Provisional Authority to Operate (P-ATO) with Joint Authorization Board sponsorship. Xacta was invented over twenty years ago, and we have significant experience in the IT risk and compliance space. This milestone is a significant development in Xacta’s history, allowing us to continue to develop and expand Xacta’s footprint as a SaaS product for use in government cloud environments.
Despite all the changes in technology over the last thirty or so years, it’s interesting to consider the prescience of the original Rainbow Series books published by the Department of Defense—meaning that the authors were aware of the critical importance of evaluating security controls on an ongoing basis, back when cloud-managed hosting was still years away. It will be interesting to watch developments in this area as, over time, both technology and the FedRAMP program continue to evolve.