Acquiring a FedRAMP Authority to Operate (ATO) is a mandatory requirement for cloud service offerings (CSOs) that hold federal data and are used by U.S. federal agencies. And as many cloud service providers (CSPs) have learned, it is a long and arduous process, largely dependent on a required relationship with a federal agency or the Joint Authorization Board (JAB). Without sponsorship by one of the two, a CSP cannot obtain FedRAMP ATO or be listed in the official FedRAMP Marketplace.
FedRAMP is an authorization, not a certification per se, but is still reflective of a CSP meeting very well-defined NIST 800-53 baseline controls requirements. Because the requirements are well-defined (so much so that Third Party Assessment Organizations (3PAOs) are already trusted and leveraged to assess a CSP’s adherence to the baseline controls), it seems that adherence could be fully validated and continuously monitored by a 3PAO with only indirect/QA-level oversight and approval by government entities. This could alleviate the current situation, which involves hundreds of CSPs either:
- Competing for sponsorship by a limited number of government agencies who can sponsor an initial FedRAMP ATO, or
- Somehow obtaining sponsorship from the JAB, whose resources limit them to taking on only 12 FedRAMP efforts each year.
Current Process Architecture
The current process places a significant amount of work on the JAB and/or each sponsoring agency:
Shifting duties: Could a 3PAO represent the JAB and validate compliance for any CSP willing to do the work?
Because FedRAMP has such well-defined baseline controls, a 3PAO could take on all of the analysis and “stamp of approval” duties of the JAB or an agency. They could use JAB’s current standards, requiring full adherence to all controls. This would allow any CSP to go to a 3PAO and have a full assessment completed, even without an agency or JAB sponsorship, and be granted an official FedRAMP-compliant stamp (i.e., a FedRAMP “certification,” which would really be just a different flavor of a P-ATO). Minimally, this could then allow compliant CSPs to be listed in a marketplace (either the current marketplace with a new status as shown in the image below or a new marketplace for certified-compliant solutions). This would bridge the gap between government agencies and the hundreds of CSOs that are not readily available for use because there simply isn’t the bandwidth and resources to move them all through the current FedRAMP process. Allowing a 3PAO to be an authorizing arm of the JAB rather than its trusted informant, addresses many resource problems.
Re-imagined process architecture
While this 3PAO-led format is only a conceptual model at this time—with more work needed regarding details (e.g., whether there would still be a need for a FedRAMP Ready status)—shifting the work and adjusting processes has many benefits.
This type of re-envisioned FedRAMP approach could solve several problems:
- It lowers the federal market barrier to entry, allowing any CSP that is willing and able to achieve a recognized FedRAMP-compliant “certification”
- It reduces the burden on already-stretched government staff and allows the JAB and FedRAMP PMO to invest more in thought leadership, guidance, and oversight than hands-on CSO assessment work
- It increases capacity for FedRAMP, allowing commercial 3PAO entities to absorb most of the work and process more CSOs concurrently
- It potentially improves the mean standard of compliance, as all CSOs would need to meet all controls as they would for a JAB authorization
- It provides scalability afforded by the commercial services landscape
The “FedRAMP-compliant certification” would be similar to the JAB P-ATO in that it would be a general status indicating compliance with the FedRAMP baseline controls. The main difference is that a 3PAO would be taking on the additional work currently handled by the JAB or agency, namely: reviewing and approving massive System Security Plans (SSPs), System Assessment Plans (SAPs), System Assessment Reports (SARs), Plan of Action and Milestones (POA&M), reviewing iterative continuous monitoring (ConMon) artifacts, and validating that any significant changes don’t introduce unacceptable risk.
Agencies would still need to grant an ATO based on FedRAMP compliance – but it would be much simpler, at least for the first agency to use the “certified” CSO
The actual ATO would still need to be granted by each agency wanting to use the CSO. That process could hopefully be simpler and faster with the 3PAO playing more of a trusted role in validating compliance. The ATO process would involve more of a cursory check of the 3PAO’s recommendation rather than an in-depth review of the ATO package.
Agencies would also still be in the loop as an informed party on all ConMon activities and significant change activities. The difference for the agency, just like with the JAB, is that their role would become more of a QA/oversight role rather than the main player – thereby reducing the burden on agency resources. Agencies could even provide 3PAOs with their specific requirements/agency-specific controls and have the 3PAOs handle the ongoing monitoring and validation of compliance to those controls.
None of this would preclude an agency from being very involved in their own acceptance of risk, and agencies would always have full authority to stop using a CSO should they perceive too much risk. This model simply gives the agency (just like the JAB) a trusted representative to handle a lion’s share of the work.
An expanded marketplace of compliant CSOs could offer not only FedRAMP authorized CSOs but FedRAMP certified/compliant CSOs
Allowing any CSP that is able and willing to meet FedRAMP controls requirements to do so and get recognized for the achievement seems like a step in a good direction. It would hopefully encourage smaller CSPs with emerging solutions, who may have difficulty finding a federal sponsor, to become compliant—which is the main objective in the larger battle to better protect all our nation’s cyber infrastructure. Such a marketplace would then hopefully give federal agencies a larger catalog of already compliant solutions to choose from. There are likely many cloud solutions that would be beneficial to government agencies but aren’t available for use because of the FedRAMP authorization process barrier to entry.
But what about FedRAMP Ready status? Isn’t that similar to what’s being proposed?
It might be argued that the FedRAMP program already has a type of “certification” or pre-authorization option. CSPs can choose to go through the Readiness Assessment process without a sponsor and achieve a FedRAMP Ready listing in the FedRAMP Marketplace. A CSP can demonstrate that they are FedRAMP Ready by working with a 3PAO in a mini-assessment (sans a full penetration test) that involves validation of the CSO boundary, vulnerability scanning, a review of policies and procedures, and validation of compliance with a subset of controls (e.g., the critical controls), to name a few. It isn’t, however, as thorough as the full assessment, nor is it a foolproof assurance that a CSO will achieve an ATO. FedRAMP Ready status mostly indicates to the JAB or an agency that a CSP is committed and has met most of the key requirements to achieve an ATO. However, achieving FedRAMP Ready still leaves CSPs with the challenge of convincing a federal agency to accept the extra work of being their initial sponsor. The risk of getting through the assessment may be reduced, but the workload on the agency is not. As a result, the FedRAMP Ready status does little to alleviate the sponsorship bottleneck.
The JAB would still govern the program and retain revocation power over any “certification”
The suggestion to push most of the solution vetting and “certification” process to a 3PAO isn’t about taking power away from the JAB. Rather, it allows the JAB to operate one step higher in an oversight role, removing them from many of the time-consuming tasks that go with ATO sponsorship. The JAB wouldn’t need to invest the time and energy in shepherding 12 CSPs per year through the process. Instead, they could move up one step in the hierarchy and oversee the 3PAOs in their processing of 12 of the highest demand/highest impact CSOs.
One way or another, expanding the number of FedRAMP compliant cloud solutions calls for out-of-the-box thinking
While the brainstorm-level ideas presented in this blog post are far from thoroughly vetted, they are an example of out-of-the-box thinking that may be required to address the limitations of the current FedRAMP system. The Constellation GovCloud (CGC) team is committed to thought leadership and supporting the federal government and contributing to the improved security posture of cloud solutions.
About Constellation GovCloud
CGC, a Merlin offering, is a pre-built, FedRAMP Platform-as-a-Service hosted on AWS GovCloud and designed to host SaaS solutions seeking FedRAMP ATO within federal agencies. Our goal is to absorb a bulk of the underlying technical, operational, and management burden, limiting the impact to our partners and allowing them to focus primarily on their specific SaaS operations and controls. We help our partners get to FedRAMP faster and with significantly fewer financial and resource commitments. Learn more.