Lecture Notes: Understanding FedRAMP Authorization

Introduction

• Speaker: Tom Conl, Cyber Security Engineer
• Organization: Optic Cyber Solutions
• Topic: Overview of FedRAMP Authorization

What is FedRAMP?

• Full Name: Federal Risk and Authorization Management Program
• Operated by: General Services Administration (GSA)
• Purpose: To review and approve the security posture of cloud services used by the federal government.
• Focus: Eliminate redundant evaluations of cloud services across federal agencies.

Importance of FedRAMP

• Security Assurance: Ensures cloud services protect sensitive data effectively.
• Cost and Time Efficiency: Reduces duplication of effort, cost, and time across different federal agencies.
• Confidence: Provides a standardized security assessment model, reducing the need for separate evaluations.

FedRAMP Authorization Process

1. Assess Once, Report Many:
   • Security evaluation is conducted once and leveraged by multiple agencies.
   • Provides assurances that cloud services are secure for federal data.
2. Security Controls Framework:
   • Uses security controls from NIST Special Publication 800-53.
   • Ensures confidentiality, integrity, and availability of data.

FedRAMP Impact Levels

• Low Impact:
  • Limited adverse effect on agencies.
  • Over 150 security controls.
• Low Impact Tailored:
  • For non-sensitive data, 70 security requirements.
  • Additional 75 controls require attestation.
• Moderate Impact:
  • Serious adverse effect potential.
  • Over 320 security controls.
• High Impact:
  • Severe or catastrophic effect potential.
  • Over 400 security controls.
  • Used for sensitive unclassified data (e.g., law enforcement, emergency services).

FedRAMP Authorization Process Phases

1. Sponsorship:
   • Identify a federal agency sponsor.
   • Alternatively, seek FedRAMP program authorization independently.
2. Preparation:
   • Develop System Security Plan (SSP).
   • Detail implementation of required security controls.
3. Evaluation:
   • Independent third-party assessment ensures compliance with security controls.
4. Continuous Monitoring:
   • Ongoing updates and assessments to maintain security compliance.

Conclusion

• Duration: Typical FedRAMP process takes about 18 months.
• Business Enablement: Essential for CSPs to do business with federal/state governments.
• Commitment Demonstration: Shows dedication to protecting customer information.

Additional Resources

• Further Reading and Videos:
  • Risk Management Framework
  • Creating an SSP
  • Managing a policy
• Contact Information:
  • Email: [email protected]
  • Website: opticcyber.com

Speaker's Note

• Tom Conl's Experience: Extensive experience in FedRAMP authorization process.
• Contact for Assistance: Available for questions and guidance in the process.

Optic Cyber Solutions: Helps organizations with assessment, implementation, and advising services.