FedRAMP ATO Vendors: How Commercial Entities Can Benefit
Why Is Vendor Management Important to Cybersecurity?The majority of industry standards and regulatory requirements require organizations to maintain robust vendor management programs. The 2018 Ponemon Cost of a Data Breach found that when a third-party caused a data breach, the cost increased by more than $13 per compromised record, increasing the total average cost to $161 per compromised record from 2017’s $131 per compromised record. Organizations depend on third-party vendors to create cloud and hybrid IT infrastructures. However, they need to maintain assurance that their business partners will protect their information appropriately.
What Is FedRAMP?The Federal Risk and Authorization Management Program (FedRAMP) is a unified framework that Cloud Service Providers (CSPs) can use to give Federal agencies assurance over their information security controls.
What is FedRAMP Moderate Authorization-to-Operate (ATO)?The FedRAMP Joint Authorization Board (JAB) cannot review all CSPs. Therefore, organizations obtaining FedRAMP ATO status must undergo an arduous review process that includes creating a System Security Plan, System Assessment Plan, and review by a third-party assessment organization (3PAO). To meet FedRAMP Moderate ATO status, the CSP needs to meet almost burdensome security requirements across 325 controls (NIST 800-53).
How FedRAMP ATO Vendors Enable Business Decision-MakingThe FedRAMP authorization process starts with the CSP establishing a “Business Case.” As a government-funded program, FedRAMP and JAB can review only the most mission-critical CSPs. Therefore, a cloud service needs to prove itself worthy before the JAB will consider its candidacy. As part of creating its “Business Case,” a CSP must:
- Prove demand for the product exists
- Show current agency use
- Provide proof that its services already enable federal agency cloud migration
- Provide a business capture plan
- Show cross-Agency benefits
- Demonstrate mature organizational internal controls
- Prove that it provides a new and innovative demonstrable ROI for reducing risk, saving cost, and/or addressing political considerations.
- Demonstrate that it provides an underlying service that other CSP products can leverage