FedRAMP ATO Vendors: How Commercial Entities Can Benefit
- Vibhuti Sinha
- April 2, 2019
- 3:40 pm
- No Comments
“Cloud migration,” “digitalization,” and “IT transformation” all refer to creating new cloud-based and hybrid information technology environments that ease business operation burdens and help drive customer engagement. However, as enterprises seek to create the modern IT architectures and move workloads to the cloud, they need also incorporate Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS), and Platform-as-a-Service (PaaS) vendors to help create ecosystems that enable their business needs. Unfortunately, not all vendors are created equally. To remain compliant, organizations need vendors who match their cybersecurity risk tolerance levels. The rigorous FedRAMP authorization process provides assurance that the vendor offers a solution that supports systems, incorporates innovative technology, and secures their customers’ information.
Why Is Vendor Management Important to Cybersecurity?
The majority of industry standards and regulatory requirements require organizations to maintain robust vendor management programs. The 2018 Ponemon Cost of a Data Breach found that when a third-party caused a data breach, the cost increased by more than $13 per compromised record, increasing the total average cost to $161 per compromised record from 2017’s $131 per compromised record. Organizations depend on third-party vendors to create cloud and hybrid IT infrastructures. However, they need to maintain assurance that their business partners will protect their information appropriately.What Is FedRAMP?
The Federal Risk and Authorization Management Program (FedRAMP) is a unified framework that Cloud Service Providers (CSPs) can use to give Federal agencies assurance over their information security controls.What is FedRAMP Moderate Authorization-to-Operate (ATO)?
The FedRAMP Joint Authorization Board (JAB) cannot review all CSPs. Therefore, organizations obtaining FedRAMP ATO status must undergo an arduous review process that includes creating a System Security Plan, System Assessment Plan, and review by a third-party assessment organization (3PAO). To meet FedRAMP Moderate ATO status, the CSP needs to meet almost burdensome security requirements across 325 controls (NIST 800-53).How FedRAMP ATO Vendors Enable Business Decision-Making
The FedRAMP authorization process starts with the CSP establishing a “Business Case.” As a government-funded program, FedRAMP and JAB can review only the most mission-critical CSPs. Therefore, a cloud service needs to prove itself worthy before the JAB will consider its candidacy. As part of creating its “Business Case,” a CSP must:- Prove demand for the product exists
- Show current agency use
- Provide proof that its services already enable federal agency cloud migration
- Provide a business capture plan
- Show cross-Agency benefits
- Demonstrate mature organizational internal controls
- Prove that it provides a new and innovative demonstrable ROI for reducing risk, saving cost, and/or addressing political considerations.
- Demonstrate that it provides an underlying service that other CSP products can leverage