Cloud-based computing has streamlined data processing, storage, and security, which is why federal agencies are encouraged to move their data and workflows to the cloud. Any cloud service provider (CSP) that works with US government organizations must follow certain cybersecurity regulations.
CMMC vs. FedRAMP
Achieving CMMC 2.0 compliance is necessary to protect controlled unclassified information (CUI) managed by Department of Defense (DoD) suppliers. Defense contractors and relevant organizations, agencies, and service providers need to achieve CMMC 2.0 compliance if they want to work with any federal agency.
Related reading: For more in-depth information on CMMC 2.0 certification, the levels of CMMC 2.0, and how to achieve CMMC 2.0 compliance, read our articles: 1. An Introduction to the CMMC 2.0 Certification 2. The Levels of the Cybersecurity Maturity Model Certification Explained |
On the other hand, the Federal Risk and Authorization Management Program (FedRAMP) is important for CSPs that serve federal agencies. It was developed by the National Institute of Standards and Technology (NIST), the General Services Administration (GSA), the Department of Defense, and the Department of Homeland Security (DHS).
What is FedRAMP?
FedRAMP is a program the United States government developed to standardize cloud services providers' and similar organizations’ security assessment, authorization, and continuous monitoring processes for their cloud products and services. It primarily ensures that public cloud systems containing federal data are well-protected.
FedRAMP ensures that government organizations use safeguarded cloud systems, reduce risk management costs, and procure information systems and services rapidly and cost-effectively.
Moreover, FedRAMP builds on the Federal Information Security Management Act (FISMA), a law that requires federal agencies to develop, document, and implement an information security and protection program that abides by the E-Government Act Law of 2002.
Here are the steps you need to take to achieve FedRAMP compliance:
Step 1. Document
This involves categorizing the information system or service under consideration based on the "Standards for Security Categorization of Federal Information and Information Systems" of the NIST publication FIPS-199. Categorizing the data that will be processed within the information system is key to identifying the impact level (low, moderate, or high) of the cloud service or product in case of a security breach. The impact level will then determine the type of data that the provider will be authorized to handle.
Key points:
- The selected impact level indicates which NIST 800-53 and FedRAMP controls must be used to comply with the program’s requirements.
- A CSP can complete a FIPS PUB 199 Worksheet via www.fedramp.gov.
Step 2. Assess
A third-party assessment organization (3PAO) steps in to examine the effectiveness of the implemented controls. They will conduct a security assessment on the actual system (i.e., not a test system) to be used.
Key points:
- CSPs are not required to use a FedRAMP-accredited 3PAO. However, any independent assessor must create a testing plan that utilizes the FedRAMP SAP template, which can be found on www.fedramp.gov/templates/.
- 3PAOs and independent assessors must abide by test case procedures found on www.fedramp.gov when assessing the CSP’s system.
Step 3. Authorize
The independent assessor or 3PAO presents their findings via a Security Assessment Report (SAR), which should contain any discovered vulnerabilities, threats, and risks and ways to mitigate them. The federal agencies that review the assessor’s findings may request further tests if risks were identified during the assessment stage. Otherwise, the federal agency may approve the report.
Key point:
- In case risks were identified in the SAR, the CSP must present a Plan of Action & Motives (POA&M) that provides how the security risks will be mitigated using available resources, staff, and schedule.
Step 4. Continuous monitoring
CSPs must continuously monitor its security controls and provide their findings to the authorizing agency. That means CSPs must be able to regularly scan their applications, databases, and servers for vulnerabilities. For their part, the 3PAO or independent assessor should assess the CSP’s cloud security at least once a year.
Key point:
- Continuous monitoring activities depend on what type of FedRAMP authorization the cloud provider wants to obtain. That means CSPs that want to provide services to multiple agencies require monthly and yearly assessments, while those that want to serve one or two may require only a yearly assessment.
Charles IT can perform a variety of FedRAMP-compliance tasks for your organization. Our Compliance and Security Assessment experts can also enhance your cloud security infrastructure — you don’t have to worry about creating a CMMC 2.0 or FedRAMP strategy. Call us at 860-344-9628 or leave us a message.
Editor's Note: This blog was originally published on August 19th, 2020. It was edited on June 29th, 2023 for accuracy.