good morning my name is Tom conl and I'm a cyber security engineer at optic Cyber Solutions what the requirements for programs like cmmc now requiring the use of fedramp authorized cloud service providers we've been getting more and more questions about what the program is and what it means to be fedramp authorized at optic we've helped organizations navigate the fedramp authorization process and want to share a quick overview of the program and why it's important first off fedramp is the federal risk and authorization Management program operated by GS say this program's focus is on reviewing and approving the security posture of cloud services for the use by the federal government fedramp authorizes cloud service offerings operated by a cloud service provider whether the cloud service offering is a software as a service platform as a service or infrastructure as a service the program was introduced to eliminate the duplication of effort between government agencies when determining if a cloud service offering was Secure prior to fedramp each time a federal agency wanted to use a cloud service the cloud service offering had to be evaluated individually to determine if it was Secure therefore if a cloud service offering used by the Department of Labor was also used by the Department of Defense the service had to be evaluated by both agencies independently this placed a heavy burden on the cloud service providers as well as the federal government and caused a duplication of effort within the government this duplication led to delays in other organizations being able to use an evaluated cloud service offering as well as duplicative costs for the federal government and csps in funding the Redundant assessment so why is this important understanding how cloud service providers protect data within their cloud service offering is important for ensuring sensitive data is not leaked or misused therefore it is critical that cloud service offerings are evaluated however evaluating them every time a new federal agency purchases the cloud service offering isn't adding confidence just additional time and money as I mentioned fedramp was created to allow reciproc or the sharing of security packages including the assessment results across agencies with the implementation of fedramp cloud service providers can have their products the cloud service offering evaluated once in that same evaluation leveraged by multiple agencies or simply put fedramp enables the model of assess once report many fedramp provides assurances for agencies that the cloud service offering on their list are secure and can properly protect sensitive Federal data from unauthorized access and modification as well as be available when needed to prove this the fedramp program leverages the security controls for confidentiality integrity and availability from the niss special publication 800-53 the fedramp program has three levels well four levels if you can count the levels specifically tailored for non-sensitive information let me explain fedramp uses fips 199 to categorize products based on their impact level to establish the cloud service offerings Baseline the impact is determined based on the sensitivity of the the data in the cloud service offering and its criticality to the federal government the first level is low impact this level includes services that will have a limited adverse effect to agencies using the cloud service offering low impact authorizations include over 150 security controls from special publication 853 rev 5 while not identified in fips 199 fedramp does include a low impact tailored Baseline this is the fourth and slightly different Baseline it is tailored down from the low impact Baseline and only includes about 70 security requirements however low impact tailored is only for systems that do not store process or transmit sensitive data for example pii is too sensitive for this Baseline while only 70 security controls are required to be assessed in the low impact tailored Baseline it requires cloud service providers to attest that they have implemented an additional 75 security controls the second level is moderate Baseline the moderate Baseline is used for cloud service offerings that would have a serious adverse effect to an agency its assets or its individuals if the cloud service offering was compromised the moderate Baseline includes over 320 security controls and enhancements from SP 853 rev 5 the third Baseline level is high high impact cloud service offerings are those that would have a severe or catastrophic effect on an agency this level is used for the government's most sensitive unclassified data in cloud computing environment M and requires over 400 security controls and enhancements this level typically includes cloud service offerings that support law enforcement emergency services and financial systems now to be approved for use by the federal government the cloud service offering needs to complete the FED ramp authorization process to get on the list and enable agencies to actually use the products to do this a cloud service provider needs to create a Security package describing how they meet the requirements included in their identified Baseline for the cloud service offering they are putting forward this is a standard four-phase process during the first phase the cloud service provider identifies a f Federal agency sponsor or someone within the federal government that wants to use the product however if a sponsor is not available the cloud service provider can go through the process and seek a fedramp program authorization without an agency sponsor in the second phase preparation the cloud service provider develops the system security plan or SSP for the cloud service offering describing how each of the required security controls for the Baseline they seek is going to be implemented once the federant program office accepts the SSP the provider implements the security capabilities and updates the Security package including the SSP and customer responsibility Matrix during the third phase the cloud service offering is evaluated by an independent authorized third party to ensure the product has properly implemented all required security controls before receiving its authorization the the fourth and Final Phase is continuous monitoring it ensures the cloud service provider performs required updates to the system to maintain its security posture maintains the Security package and performs routine assessments to confirm the cloud service offering remains in compliance with its authorization so hopefully this video provides context for why we are hearing more about fedramp recently what it is and why the program was created while it does take time to complete the FED ramp process typically 18 months it can be a business enabler for cloud service provider is doing business with the federal government and many state governments as well getting a cloud service offering fed ramp authorized is also a great way to demonstrate to your customers your commitment to protecting their information here I've pulled together some resources where you'll find information on fedramp also check out the notes below for links to other videos we've put out on topics including the risk management framework creating an SSP and even managing a polium again my name is Tom conl I've been working with companies to go through the FED ramp authorization process for way too long but i' be happy to help get you on the right path feel free to reach out in the comments or at info@ optic cyber.com with any questions or inquiries on how to get started hope this video has been helpful in orienting you to the program thanks for watching optic cyber solution strives to help organizations identify and address their blind spots through our assessment implementation and Advising services for more information about optic Cyber Solutions and our services reach out at info optic cyber.com or check out our website at optic cyber.com