Most agencies have a cloud policy and require FedRAMP for cloud technologies that store, process, or transmit federal information. So how do you account for FedRAMP requirements in your procurement?
I made this guide with all the information you need to understand the highlights including examples for your acquisition document. The following article draws much of its content from FedRAMP.gov.
Click Procurement Examples for system shall statements.
What is FedRAMP?
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
Program information is available at FedRAMP.gov.
FedRAMP enables Agencies to rapidly adapt from old, insecure legacy IT to mission-enabling, secure, and cost effective cloud-based IT.
FedRAMP created and manages a core set of processes to ensure effective, repeatable cloud security for the government. FedRAMP established a mature marketplace to increase utilization and familiarity with cloud services while facilitating collaboration across government through open exchanges of lessons learned, use cases, and tactical solutions.
Going cloud? Here’s a FedRAMP requirement example to consider for your acquisition document:
The agency requires that a cloud solution shall be certified by the Federal Risk and Authorization Program (FedRAMP). The Awarded Vendor shall furnish a SaaS solution that is FedRAMP certified by the start date of the last iteration proposed in Offeror’s response, as determined by the agreed-upon project schedule established during the design, development, and implementation phase. Migrating from a supplier that is not FedRAMP certified to a supplier that is FedRAMP certified, and the timing of such move, shall be the responsibility of the Awarded Vendor to minimize schedule impact to System Delivery. If such a move is required, Awarded Vendor shall bear all costs, including additional agency contractor expenses, associated with migrating to a FedRAMP certified provider. Offerors that demonstrate current completed certification shall be given greater preference.
In addition to the above requirement, you may want to include a liquidated damages clause to ensure compliance.
Prior to Go-Live
Failure to meet FedRAMP Authority requirements by twelve (12) months from Contract Award Date or to maintain that status thereafter will result in an assessment of $5,000 per calendar day. The cure period will be one (1) calendar day following the due date.
Failure to maintain FedRAMP Authority status achieved prior to Go Live will result in an assessment of $5,000 per calendar day. The cure period will be one (1) calendar day following the due date.
For more information on liquidated damages, check out our post How to Use Liquidated Damages in Your Procurement.
Interested in learning more about the FedRAMP program? The following sections cover additional highlights.
Identify your impact level: Low, Moderate, or High
FedRAMP authorizes Cloud Service Offerings (CSOs) at one of three impact levels: Low, Moderate, and High. It is important to specify the proper impact level for your procurement based on the information to be stored, processed, accessed, and transmitted. Your Chief Information Security Officer (CISO) should identify what is needed for your solicitation.
Impact levels are determined based on three security objectives:
- Confidentiality – Information access and disclosure includes means for protecting personal privacy and proprietary information
- Integrity – Stored information is sufficiently guarded against modification or destruction
- Availability – Information can be timely and reliably accessed
Low Impact Level
Low Impact is most appropriate for CSOs where the loss of confidentiality, integrity, and availability would result in limited adverse effects on an agency’s operations, assets, or individuals. FedRAMP currently has two baselines for systems with Low Impact data: LI-SaaS Baseline and Low Baseline.
Moderate Impact Level (Most Common)
Moderate Impact systems accounts for nearly 80% of CSP applications that receive FedRAMP authorization and is most appropriate for CSOs where the loss of confidentiality, integrity, and availability would result in serious adverse effects on an agency’s operations, assets, or individuals.
Serious adverse effects could include significant operational damage to agency assets, financial loss, or individual harm that is not loss of life or physical.
High Impact Level
High Impact information is usually in Law Enforcement and Emergency Services systems, Financial systems, Health systems, and any other system where loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
FedRAMP introduced their High Baseline to account for the government’s most sensitive, unclassified data in cloud computing environments, including data that involves the protection of life and financial ruin.
Program Goals, Benefits, and Objectives
The General Services Administration (GSA) provides a summary of the Program Goals and Benefits as follows:
- Accelerate the adoption of secure cloud solutions through reuse of assessments and authorizations
- Increase confidence in security of cloud solutions
- Achieve consistent security authorizations using a baseline set of agreed upon standards to be used for Cloud product approval in or outside of FedRAMP
- Ensure consistent application of existing security practices
- Increase confidence in security assessments
- Increase automation and near real-time data for continuous monitoring
- Increases re-use of existing security assessments across agencies
- Saves significant cost, time and resources – “do once, use many times”
- Improves real-time security visibility
- Provides a uniform approach to risk-based management
- Enhances transparency between government and cloud service providers (CSPs)
- Improves the trustworthiness, reliability, consistency, and quality of the Federal security authorization process
Objectives of FedRAMP
- Ensure that information systems/services used government-wide have adequate information security;
- Eliminate duplication of effort and reduce risk management costs; and
- Enable rapid and cost-effective procurement of information systems/services for federal agencies.
The Joint Authorization Board (JAB) is the primary governance and decision-making body for the FedRAMP program. The JAB reviews and provides joint provisional security authorizations of cloud solutions using a standardized baseline approach. Chief Information Officers from the Department of Defense, the Department of Homeland Security, and GSA serve on the JAB.
Certification for Non-Federal Government Organizations (e.g., state, local, tribal, territorial, etc.)
From the FedRAMP.gov site, “FedRAMP is specific to cloud technologies that store, process, or transmit federal information. CSPs must partner with a federal agency to assess and authorize a cloud service offering for FedRAMP Authorization. Due to FedRAMP’s specificity to federal information, non-federal government organizations (e.g., state, local, tribal, territorial, etc.) are not able to partner with CSPs for FedRAMP Authorization.
Where information systems at the state and local levels are processing federal information, the federal agency responsible for that information is charged with determining if FedRAMP Authorization is required.”
Non-federal government organizations can also review the FedRAMP Marketplace for cloud service offerings that have achieved FedRAMP Authorization for public and government community cloud offerings and work with CSPs to understand how those systems can be leveraged for state and local use.
FedRAMP Ready is a designation that indicates a Third Party Assessment Organization (3PAO) attests to a CSP’s readiness for the authorization process based on a self-assessment, and that a Readiness Assessment Report (RAR) has been reviewed and approved by the FedRAMP PMO. The RAR documents the CSP’s capability to meet FedRAMP security requirements.
Benefits of FedRAMP Ready
- P-ATO Requirement: An approved RAR is required for any CSP pursuing a Provisional Authority to Operate (P-ATO) from the Joint Authorization Board (JAB) and is highly recommended for an Agency Authority to Operate (ATO). While becoming FedRAMP Ready is not a guarantee that a CSP will become authorized, achieving FedRAMP Ready status provides a greater likelihood of success in the authorization process as the government has a clearer understanding of a CSP’s technical capabilities.
- FedRAMP Marketplace Listing: CSPs that achieve the FedRAMP Ready designation are listed on FedRAMP’s Marketplace. Agencies use the FedRAMP Marketplace to research cloud services that meet their organizational requirements.
- Self Assessment: For CSPs who are considering whether or not to become FedRAMP authorized, the RAR can serve as a self assessment to determine what gaps in their service offering’s security exist and where those gaps might be. Such information can help CSPs understand the level of effort necessary to secure their system(s) according to FedRAMP requirements, prior to pursuing an ATO with an Agency. The Readiness Assessment Report Template for High and Moderate systems can be found on the Templates page of fedramp.gov.
Still have questions?
If you have questions about becoming FedRAMP Ready, the Readiness Assessment Report, partnering with a 3PAO, or the FedRAMP authorization process in general, please contact the FedRAMP PMO at firstname.lastname@example.org.
To learn more about the FedRAMP program, visit FedRAMP.gov.