How State and Local Agencies Can Use FedRAMP

What is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. federal government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud services and cloud products offered by cloud service providers (CSPs). 

As the number of government agencies using the cloud increases, so does the need for enhanced security. The FedRAMP authorization process aims to make it easier for federal agencies to contract with CSPs by determining whether those providers meet federal cloud security guidelines.

At the core of FedRAMP is the National Institute of Standards and Technology’s (NIST) Special Publication 800-53, which provides a catalog of information security controls selected to protect federal information in cloud computing environments.

Following a federal “Cloud First” initiative, which required agencies to move their data and workflows to the cloud, the U.S. Office of Management and Budget established FedRAMP in 2011 to provide a “cost-effective, risk-based approach for the adoption and use of cloud services to Executive departments and agencies.”

In 2012, the U.S. General Services Administration (GSA) formally launched FedRAMP, and included the use of federally accredited third-party assessment organizations (3PAOs) to determine whether a CSP complies with FedRAMP.The program also requires every cloud provider holding federal data to obtain an “authorization to operate” (ATO) from the agency it serves.

How does FedRAMP work?

Cloud providers can obtain two types of FedRAMP authorization:

1. The Joint Authorization Board (JAB) and provisional authorization to operate (P-ATO) is the more stringent, intended for CSPs wanting to provide cloud services to multiple agencies or even government-wide.
2. An agency authorization to use (ATO) is less complicated, designed for CSPs that want to serve one or two agencies.

FedRAMP employs a “do once, use many times” framework, which means that once you obtain one level of ATO, you have ongoing authorization to serve any agency processing data at your assigned risk level. 

For either type of FedRAMP authorization, the 3PAO will determine the sensitivity of data that the cloud service offering (CSO) can securely hande; and will give it a “high,” “moderate,” or “low” risk rating by measuring the CSO’s security controls against those in the applicable NIST publications.

The three security baseline levels of FedRAMP authorization (low impact, moderate impact, and high impact) depend on the different kinds of data that a CSPs manages, as well as the ways in which the CSP must secure and protect that data. Each level refers to the potential harm that may occur if an information system is jeopardized. 

CSPs are in compliance with FedRAMP when they conform to its government-wide requirements for information security assessment, authorization, and continuous monitoring for cloud products and services.

Although FedRAMP certification can be difficult to obtain, it has also become the most coveted credential for CSPs — and a necessary one for cloud service providers that want to work with the U.S. government. In fact, the U.S. government requires FedRAMP program compliance from all who provide cloud computing products and services to federal government agencies.

Given the rigor involved, it’s no surprise that FedRAMP is now the gold standard in cybersecurity for federal, state, and local government agencies.

FedRAMP for federal government

For CSPs wanting to do business with the federal government or federal agencies, FedRAMP certification is a must. 

The top challenge federal agencies face today is keeping pace with the ever-increasing demand for cloud-based services, and assuring that proper security is in place. FedRAMP aims to make it easier for federal agencies to contract with CSPs by determining whether those providers meet federal cloud security guidelines. FedRAMP also can help agencies meet their demand for cloud, and augment their security capacity when bringing new and emerging technologies into their agencies. 

A federal agency chooses cloud providers, products, and services according to the level of security the agency needs. Some agencies seek cloud for low-risk business functions, such as collaboration and video streaming; others seek to use the cloud for high-risk business functions, including functions that support sensitive or mission-critical data. 

The top two reasons for cloud adoption in government are cost savings and efficient delivery of services. 

As far as cost benefits are concerned, the numbers speak for themselves. It’s often much cheaper for the government to use cloud services than to maintain hardware itself. While the federal government spends $90 billion on information technology each year, 75 percent goes toward operating and maintaining current systems. Just just 22 percent of the federal government’s IT budgets pay for cloud services. 

In addition to efficiency and cost,  FedRAMP certification can provide a number of other benefits to CSPs working with federal entities, including

• Increased reuse of existing security assessments
• Enhanced transparency between government and CSPs
• A uniform approach to risk-based management
• Improved real-time security visibility
• Consistent application of existing security practices
• Increased confidence in security assessments
• Increased confidence in security of cloud assessments
• Increased automation and near-real-time data for continuous monitoring

While FedRAMP is a federally mandated program, state and local agencies can apply the FedRAMP framework in their own cloud contracts and assessments to glean many of the same benefits that apply to federal agencies. 

FedRAMP for state and local government

Agencies at all levels of government should see the value in using standards to improve cloud security. A growing number of state and local governments are using the same requirements to evaluate their own CSPs. 

Although state and local agencies are not authorized to directly access FedRAMP security documentation (which is housed in a secured federal portal), they can still apply the FedRAMP framework in their own cloud contracts and assessments. 

The IT Alliance for the Public Sector (ITAPS) states in its States Cybersecurity Principles and Best Practices Document that state agencies should “utilize FedRAMP certification to better inform their acquisition of quality cloud products and services. When looking to standardize cybersecurity, states should avoid trying to reinvent the wheel, and should instead embrace existing standards developed by industry and leading professionals.” 

Matt Goodrich, the director at FedRAMP, has also spoken on state agencies’ use of the framework, stating: “FedRAMP sets the bar for how to protect federal data when it resides in the cloud environment, and GSA [General Services Administration] believes that state and local government can leverage this security standard for compliance needs at the local level.” 

Ultimately, state and local agencies should take advantage of the same benefits cited by their federal counterparts: efficiency and cost savings.

Neville Cannon, research director at Gartner, says, “The key to successfully implementing cloud in government is accounting for the unique technical, organizational, procedural and regulatory issues of individual organizations. For example, national governments typically see cloud as a long-term pathway to strategic IT modernization, whereas local and regional governments tend to pursue the immediate tactical benefits of innovation and cost savings.”

Beyond the efficiency of the “do once, apply many times” framework, agencies can also place more confidence in the security of cloud vendors that are FedRAMP-certified. It’s estimated that agencies can save 30 to 40 percent on their vendor assessments by switching to FedRAMP-certified CSPs, in addition to time and labor costs. 

Ultimately, local governments are better positioned to benefit from increased spending on cloud as shrinking budgets, changing demographics and risking expectations for digital engagement places them at the center of the need for transformation. 

Tools to manage FedRAMP compliance

Achieving compliance with FedRAMP controls demonstrates that your organization is serious about security. FedRAMP certification has become the most coveted credential CSPs can obtain.

Fortunately, modern tools can automate the process, doing much of the work for you. 

FedRAMP and ZenGRC

Reciprocity’s ZenGRC software-as-a-service (SaaS) can help you double up compliance with other regulatory and industry frameworks and standards, including NIST SP 800-53.

ZenGRC automates the entire FedRAMP compliance process by:

• Probing your organization’s systems for FedRAMP conformity and alerting you when it finds a flaw.
• Making detailed, prescriptive suggestions for correcting compliance gaps.
• Summarizing, in real time, your risk and compliance posture, and helping you prepare for penetration testing and other tests required by FedRAMP.
• Helping you prepare for FedRAMP readiness with unlimited, one-click self audits.
• Creating, gathering, and storing documentation of your compliance actions in a “single source of truth” repository for your 3PAO to view.
• Continuously monitoring your systems to assure that you maintain your FedRAMP authorization between audits, alerts you and real time to issues and vulnerabilities.
• Automatically monitors your third-party vendors, making it easy to generate and send vendor surveys and compiling results automatically.
• Providing an in-a-glace view of your overall compliance posture on user-friendly, color-coded dashboards.

With ZenGRC performing so many FedRAMP compliance tasks for you, while at the same time helping to improve your cloud security, you can stop worrying about obtaining and maintaining your coveted FedRAMP ATO or P-ATO.

Schedule a demo to find out how ZenGRC can help your organization become FedRAMP compliant today. 

Worry-free FedRAMP compliance: That’s the Zen way.