Why Do State Licensing Agencies Choose FedRAMP?

Your IT department now requires that your agency use FedRAMP. And your RFPs ask private sector vendors to explain how their services follow FedRAMP standards. But what is FedRAMP? And why are state licensing agencies choosing this for regulatory requirements?

What is FedRAMP?

According to the FedRAMP website, the Federal Risk and Authorization Management Program (FedRAMP) promotes the adoption of secure cloud-based solutions across the U.S. government. FedRAMP provides a standard way to assess security for cloud service offerings. FedRAMP helps government agencies use modern cloud technologies, with an emphasis on security and protection of federal information. Prior to FedRAMP, each federal agency required vendors to meet different security requirements. FedRAMP eliminates that challenge and provides a set of common security standards, enabling agencies and cloud service providers to reuse the authorization.

How does FedRAMP work?

FedRAMP aims to ensure that all federal data is securely stored, processed, and accessed within the cloud, helping to foster trust and confidence in government cloud computing. FedRAMP facilitates the adoption of cloud technologies by federal agencies, enabling them to leverage cloud innovations securely and efficiently.

The program operates through a “do once, use many times” framework; once a cloud service provider (CSP) undergoes the FedRAMP authorization process and deemed compliant, all federal agencies can use that CSP’s services without needing to conduct their own security assessments. This approach saves time and resources for both the government and the CSPs.

The process begins when a CSP applies for FedRAMP authorization, presenting their service offerings for review against the FedRAMP security requirements. These requirements are based on the National Institute of Standards and Technology (NIST) Special Publication 800-53, ensuring a robust security posture. The assessment is conducted by a third-party assessment organization (3PAO) that verifies the CSP’s compliance.

Once the assessment is complete, the package is reviewed by the Joint Authorization Board (JAB) or by an individual agency, depending on the authorization path chosen. The JAB consists of representatives from the Department of Defense (DoD), the Department of Homeland Security (DHS), and the General Services Administration (GSA). Upon approval, the CSP is granted an Authority to Operate (ATO), signifying that it meets the stringent FedRAMP security standards.

Throughout the lifecycle of the service, the CSP must adhere to continuous monitoring and compliance requirements to maintain their FedRAMP authorization. This involves regular reporting, vulnerability scanning, and periodic reassessments to ensure compliance with the evolving security landscape.

By standardizing and centralizing the approach to cloud security, FedRAMP ensures that federal agencies can harness the benefits of cloud computing while safeguarding sensitive government data against potential cyber threats.

StateRAMP vs. FedRAMP

StateRAMP and FedRAMP are both programs designed as a standardized approach to cybersecurity for cloud services, with each serving different levels of government within the United States. While FedRAMP (Federal Risk and Authorization Management Program) is focused on the federal level, StateRAMP is aimed at state and local governments.

Key differences between the two:

1. Scope and Target Audience

• FedRAMP is designed for federal agencies, ensuring that cloud service providers (CSPs) meet the security requirements necessary to protect federal information.
• StateRAMP targets state, local, tribal, and territorial (SLTT) governments, helping them ensure that their CSPs adhere to similar security standards. It allows these entities to leverage cloud solutions securely and efficiently.

2. Governance and Oversight

• FedRAMP is overseen by the General Services Administration (GSA) in partnership with the Department of Homeland Security (DHS) and the Department of Defense (DoD).
• StateRAMP is managed by the StateRAMP Project, which operates with oversight from a steering committee composed of state and local government members, industry representatives, and other stakeholders.

3. Authorization Process

• Both programs use a similar process for security assessment, authorization, and continuous monitoring based on NIST standards. However, the specifics of their processes, including documentation and assessment requirements, can vary due to their distinct governance structures and target audiences.

4. Reciprocity and Mutual Recognition

• FedRAMP authorization is primarily recognized by federal agencies, allowing them to use authorized cloud services without undergoing separate security assessments.
• StateRAMP aims to achieve a similar “do once, use many times” framework for state and local governments, but it operates independently of FedRAMP. There’s growing interest in reciprocity between the two, where compliance with one program could facilitate or simplify compliance with the other, but such arrangements depend on mutual agreements and recognition of security standards.

5. Security Controls and Requirements

• Both programs are based on NIST’s Special Publication 800-53 for security controls, but they may implement these internal controls differently according to their specific needs and the risk environment of their respective governmental levels.

6. Participation and Membership

• FedRAMP participation is mandatory for all federal cloud deployments and service models.
  StateRAMP participation is encouraged for state and local governments, but its adoption varies by state and locality, depending on their applicable laws, policies, and cybersecurity requirements.

7. Objective and Impact

• Both programs aim to secure government data in the cloud, but StateRAMP addresses a broader variety of government entities, recognizing the diverse needs and capabilities of state and local governments.
• This distinction highlights the programs’ shared goal of enhancing cloud security across all levels of government while acknowledging their different operational environments and challenges.

While StateRAMP and FedRAMP share a common goal of securing cloud services for government entities, they differ in their governance, scope, and implementation, tailored to meet the specific needs of federal versus state and local governments.

Why do state licensing agencies use FedRAMP?

State licensing agencies use FedRAMP to ensure that vendors they work with meet standards for secure cloud services. FedRAMP gives state agencies a common set of security requirements for vendors and government contractors. These standard questions simplify the process for state licensing agencies and yield a variety of benefits; by allowing the reuse of the authorization versus completing different authorizations for different agencies, FedRAMP helps states save money, time, and effort—for both agencies and Cloud Service Providers.

The adoption of FedRAMP standards by state agencies, even though originally designed for federal use, underscores the program’s robust security framework and its potential benefits across all levels of government.

Here are some key reasons why state regulatory agencies might choose to use FedRAMP:

Ensuring High Standards of Security

• Comprehensive Security Framework: FedRAMP provides a comprehensive set of security controls based on the National Institute of Standards and Technology (NIST) Special Publication 800-53. This ensures that cloud services used by state agencies meet rigorous security standards, protecting sensitive data against cyber threats.
• Continuous Monitoring: FedRAMP requires ongoing monitoring and regular security assessments, which helps state agencies maintain a strong security posture over time. This proactive approach to security aligns with best practices in cybersecurity management.

Streamlining Cloud Service Adoption

• “Do Once, Use Many Times” Framework: Once a cloud service provider (CSP) achieves FedRAMP authorization, its services can be used by any federal agency and, by extension, can be considered secure by state agencies. This eliminates the need for each state agency to conduct its own comprehensive security assessments, saving time and resources.
• Increased Confidence in Cloud Services: Using FedRAMP-compliant CSPs gives state agencies confidence in the security of their cloud-based operations. This can accelerate the adoption of cloud technologies, promoting innovation and efficiency within state government operations.

Compliance and Interoperability

• Alignment with Federal Standards: For state agencies that interact with federal systems or manage federally regulated data, using FedRAMP-compliant cloud services ensures alignment with federal security requirements. This is crucial for compliance with federal regulations and for participating in federal programs.
• Facilitating Data Sharing and Collaboration: State agencies often need to share data and sensitive information with federal agencies and other states. Using FedRAMP-compliant cloud services facilitates this process by ensuring that all parties are adhering to a common set of security standards, thereby reducing the barriers to intergovernmental collaboration.

Risk Management

• Risk Assessment and Authorization: FedRAMP provides a structured process for assessing the risks associated with cloud services and for authorizing their use. This helps state agencies make informed decisions about which cloud services to use based on a thorough understanding of their security posture.
• Mitigating Cybersecurity Risks: By adhering to FedRAMP standards, state agencies can better protect themselves against cybersecurity risks, such as data breaches and cyber attacks, which are of particular concern for public sector entities handling sensitive public information.

What is the FedRAMP process?

The goal of FedRAMP is to ensure all federal data is securely processed, stored, and accessed in cloud environments. Here’s an overview of the FedRAMP authorization process, broken down into key stages:

1. Preparation

• Cloud Service Provider (CSP) Preparation: Before starting the FedRAMP process, a CSP must thoroughly understand FedRAMP requirements and prepare their cloud service offering (CSO) to meet these standards. This involves implementing the necessary security controls as outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-53.
• FedRAMP Ready Assessment: CSPs often undergo a readiness assessment by a FedRAMP-accredited third-party assessment organization (3PAO). This assessment evaluates the CSP’s readiness for the full FedRAMP authorization process and is documented in a Readiness Assessment Report (RAR), which can help attract potential agency customers by demonstrating the CSP’s commitment to meeting FedRAMP standards.

2. Initiation

• Partnership Establishment: A CSP partners with a federal agency that agrees to sponsor their FedRAMP authorization process. Alternatively, a CSP can opt for a JAB (Joint Authorization Board) provisional authorization (P-ATO), which involves a selection process by the JAB itself, composed of the Chief Information Officers (CIOs) from the Department of Defense (DoD), the Department of Homeland Security (DHS), and the General Services Administration (GSA).

3. Assessment

• Security Assessment Plan (SAP): The CSP and the 3PAO develop a SAP that outlines how the security controls will be tested.
• Security Assessment: The 3PAO conducts a thorough assessment of the CSP’s implementation of NIST security controls, testing the effectiveness of these controls in protecting against threats and vulnerabilities.
• Security Assessment Report (SAR): The 3PAO produces a SAR detailing the findings from the security assessment, including any vulnerabilities identified and recommendations for remediation.

4. Authorization

• Remediation: The CSP addresses any issues identified in the SAR through corrective action plans.
• Package Review: The sponsoring agency (for an agency ATO) or the JAB (for a P-ATO) reviews the completed security authorization package, which includes the SAR, the System Security Plan (SSP), and any other relevant documentation.
• Authorization Decision: Based on the review, the authorizing official (AO) decides whether to grant an Authority to Operate (ATO) or a Provisional ATO, depending on the authorization path. This decision is based on the risk posture presented in the authorization package.

5. Continuous Monitoring

• Ongoing Assessment and Authorization: After receiving authorization, the CSP must engage in continuous monitoring and reporting to maintain their FedRAMP authorization. This includes regular updates on the security state of the CSO, vulnerability scanning, and annual reassessments of security controls.
• Change Management: The CSP is required to report significant changes to their system or operational environment that might affect their security posture, ensuring that the CSO remains compliant with FedRAMP requirements.

This structured process ensures that cloud services used by federal agencies meet rigorous security standards, safeguarding federal information while fostering confidence in government cloud adoption.

How long does FedRAMP certification take?

FedRAMP certification takes anywhere from six months to up to two years.

Additional Resources:

FedRAMP website

The federal government’s comprehensive website about FedRAMP, includes an overview, along with resources and how to get authorized.

FedRAMP Overview Video 

An introductory video on FedRAMP by the federal government provides a general overview, along with the history of FedRAMP.

More information:

Learn more about GL Solutions’ regulatory software solutions for licensing and permitting, firearms permitting, child care licensing and case management. GL Solutions also keeps your system and data safe; we provide a Microsoft Azure hosted application meeting FedRAMP security requirements.