The History of FedRAMP Authorization
Cyber security is no longer a futuristic subject – it’s a part of everyday life. Every 11 seconds, a cyber-attack is attempted on a company, organization or agency. As one cloud security expert put it at the 2022 FedRAMP Summit, “The idea that an agency won’t experience a cyber incident isn’t a reality anymore.” Being adequately prepared for cyber-attacks, both in defenses and responses, is an imperative for modern operations.
Over a decade ago, the Office of Management and Budget (OMB) recognized the growing threat of cyber-attacks on federal entities and released its Federal Cloud Computing Strategy, often referred to as “Cloud First,” as part of the larger Federal IT Modernization Effort. The strategy stated that any cloud-based tool housing federal data must go through a security authorization to ensure the data was well protected from outside parties. Moving federal operations to cloud-based tools, as opposed to on-premises systems, allows for quicker responses to potential threats across multiple agencies and locations.
“The idea that an agency won’t experience a cyber incident isn’t a reality anymore.”
To aid the transition to the cloud, the OMB established a standardized, rigorous risk assessment process for cloud-based software called Federal Risk and Authorization Management Process (FedRAMP), creating an efficient and consistent method for verifying whether industry tools are fit for federal use. OMB then collaborated with the General Services Administration (GSA) to institute the FedRAMP Project Management Office (PMO), which oversees FedRAMP applications, authorizations and continuous monitoring.
Unfortunately, agencies have made the transition to the cloud more slowly than hoped, and many are continuing to utilize on-premises tools for daily operations. In response, the OMB doubled down on their commitment to moving federal entities to the cloud with 2018’s Cloud Smart Strategy, which updated and reinforced recommendations for federal cloud-based software. Then, in 2021, the Biden administration added its backing to the OMB’s cloud efforts with Executive Order 14208, directing federal groups to improve cyber security among their software tools.
How FedRAMP Authorization Works
With growing pressure for federal and military entities to switch to secure cloud platforms, it’s increasingly important for industry vendors to reach FedRAMP authorization for their federally utilized products. The greater number of tools available on the FedRAMP Marketplace, the easier it will be for agencies to make the move to the cloud. To date, less than 300 tools have reached FedRAMP authorization.
FedRAMP is a meticulous and at times lengthy process, and that’s not accounting for the years of pre-FedRAMP work it may take a vendor to create a cloud environment that meets federal requirements. Once a vendor has a software tool successfully migrated to a secure cloud environment, they can pursue FedRAMP authorization through one of two routes: Joint Authorization Board (JAB) provisional authorization or agency authorization. Whichever path is chosen, the FedRAMP PMO will coordinate the FedRAMP authorization process for the vendor.
The key difference between the two routes is which entity serves as the federal signee on the vendor’s authorization. Through the JAB, which is comprised of CIOs from the DHS, DOD and GSA, vendors can achieve a provisional authorization to operate (P-ATO). Once the vendor’s tool receives a signature of verification from all arms of the JAB, other federal agencies can leverage the JAB P-ATO to immediately authorize their own authorization to operate (ATO).
If a vendor takes the agency route, an individual agency will serve as the sponsor for that vendor as they move through FedRAMP. Once the tool is verified as meeting FedRAMP requirements, the agency can issue its own ATO for that tool. Subsequent agencies can then target the tool for their own ATO, though they may need to put the tool through additional testing to ensure it meets their specific requirements.
“If something is FedRAMP’d, then you’ve eliminated a lot of the risk. Not all of it, but a lot. [FedRAMP] provides us partners that we can trust and verify.” – Andre Mendes, CIO, Department of Commerce
The Benefits of FedRAMP Authorization
Risk Reduction
The chief benefit of FedRAMP is that it removes risk for federal agencies by ensuring that their sensitive data is protected. Tools receive FedRAMP authorization in one of three levels: low impact, moderate impact and high impact. These levels aren’t a reflection of the quality of the tool or its security capabilities. Rather, they denote the level of sensitivity of the data housed in their platforms. If a tool receives low impact FedRAMP authorization, then the data housed in that tool isn’t critical to national or personal security. Conversely, tools with high impact authorization store data that, if breached, could put missions or personnel at risk.
Whatever impact level of authorization a software receives, agencies can be certain that the vulnerability of FedRAMP tools is minimal. Nearly all modern software is built using pieces of code that are outsourced. FedRAMP tests tools to make sure that their code is without known vulnerabilities, greatly increasing the likelihood that any weaknesses in the code, whether malicious or unintentional, are removed or reinforced.
As Andre Mendes, CIO for the Department of Commerce, put it at the 2022 FedRAMP Summit, “If something is FedRAMP’d, then you’ve eliminated a lot of the risk. Not all of it, but a lot. [FedRAMP] provides us partners that we can trust and verify.”
Did you know FedRAMP can even help federal contractors comply with CMMC requirements? Tools that achieve FedRAMP authorization will be in line with CMMC.
Efficiency and Cost Savings
The secondary benefit of FedRAMP is efficiency. The standardized process allows the federal government to follow the principle of “complete once, use many times.” This allows agencies to focus time and energy on mission-critical efforts instead of testing the security of software tools and removes the long latency period previously required before new cloud tools could be adopted. “It allows us to do away with repetitive processes…and put money back into services that taxpayer dollars were meant for,” Mendes said.
Cloud-based software also provides greater connectivity between agencies and vendors’ support teams. Rather than having to train an on-premises staff member to serve as the designated troubleshooter for a tool, agencies using FedRAMP tools can access the vendor’s own expert staff directly and in real time. “It’s important for us to create these layers of abstraction that allow us to focus on the top,” stated Mendes.
“It allows us to do away with repetitive processes…and put money back into services that taxpayer dollars were meant for.” – Andre Mendes, CIO, Department of Commerce
Continuous Monitoring and Innovation
FedRAMP doesn’t end for a particular software when it reaches authorization. All FedRAMP tools undergo a yearly continuous monitoring process to verify that no new vulnerabilities have appeared in the existing code. If any are found, the vendor will need to put the tool into a redevelopment phase to mend the cracks.
Cloud-enablement means that new features and updates can be rolled into software tools on a consistent basis. This gives agencies ready access to new industry innovations. New features are also tested for security vulnerabilities during the continuous monitoring process.
Gordian’s FedRAMP Offerings
Gordian recently received JAB P-ATO for the Gordian Federal Cloud through FedRAMP. The first tool to be migrated onto this verified secure cloud environment is RSMeans Data Online, our premier construction estimating platform. Through RSMeans Data Online, federal and military entities can access North America’s most comprehensive construction cost database to build accurate estimates with intra-agency sharing.