Achieving a Federal Risk and Authorization Management Program (FedRAMP) certification can be a daunting and expensive task. The recently proposed modifications to the process would potentially trim the overall approval time to six months, which means that demonstrating mature security practices and documentation readiness are more important than ever.
With the government IT landscape moving rapidly toward cloud adoption, it's very likely that FedRAMP will become a must-have certification for all solutions providers in government.
Often, organizations find that getting started and setting the right expectations with government customers and internal stakeholders are the most challenging parts of the process. Since cloud solutions vary greatly in architecture and system boundaries, there is no one-size-fits-all recipe for success. However, learning the following lessons can help cloud solution providers (CSPs) take the right initial steps to effectively navigate the evaluation.
Submit to a Robust Readiness Audit
When undergoing the FedRAMP process, preparation is key, and a readiness audit by a third-party assessment organization (3PAO) can be invaluable in identifying gaps and areas for improvement. Technical leaders need to define the roles and responsibilities of each person within their organization, clearly outline system boundaries and determine what services are “out of system bounds.”
Organizations should not modify the core FedRAMP templates. Changing the templates would likely cause significant delays in the security evaluation, due to the automated processes that ingest the FedRAMP documents. If the CSPs modify the templates, the FedRAMP automation routines fail, which means that the reviewers need to map back to the original templates in a piecemeal fashion.
Use Best Practices Around Multi-factor Authentication and System Boundaries
To ensure the FedRAMP accreditation goes as smoothly as possible, all internal and external authentication processes should use multi-factor authentication. Many government agencies are looking to implement stronger identity and access management practices, so multi-factor authentication is becoming a matter of basic hygiene.
To further accelerate the process, companies should also construct a system boundary around only their most popular offerings rather than around the entire technical stack.
Bring Together a Cross-Functional Team to Develop Your Package
It is critical to engage with industry experts and partners, such as a 3PAO auditor, with proven experience to minimize unknown risk and accelerate the compliance timeline. Identifying organizational knowledge gaps early will allow the company to execute a focused optimization of internal and consulting resources. For example, since FedRAMP has prescriptive documentation requirements, CSPs may need to find technical writers who are experienced in properly articulating security controls and risk-mitigation processes. The documentation component of securing accreditation is not trivial, and it’s important to address it properly to avoid delays.
The comprehensive standards, policies and processes required by FedRAMP can be overwhelming. Educating the entire leadership team about the program and the high baseline requirements is key for marshaling the right resources to successfully navigate the accreditation. Last but not least, it’s important to take advantage of publicly available FedRAMP tools, tips, and recommendations. The program officials are actively promoting industry best practices and disseminating recipes for success that shed light onto the direct and indirect requirements.
For its Beacon SaaS, which has an agency authorization through the National Institutes of Health, NetComm is the first women-owned small business to achieve FedRAMP compliance in 2016.