April 2, 2019

FedRAMP ATO Vendors: How Commercial Entities Can Benefit

Vibhuti Sinha

Chief Cloud Officer

FedRAMP ATO Vendors: How Commercial Entities Can Benefit

“Cloud migration,” “digitalization,” and “IT transformation” all refer to creating new cloud-based and hybrid information technology environments that ease business operation burdens and help drive customer engagement. However, as enterprises seek to create the modern IT architectures and move workloads to the cloud, they need also incorporate Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS), and Platform-as-a-Service (PaaS) vendors to help create ecosystems that enable their business needs. Unfortunately, not all vendors are created equally. To remain compliant, organizations need vendors who match their cybersecurity risk tolerance levels. The rigorous FedRAMP authorization process provides assurance that the vendor offers a solution that supports systems, incorporates innovative technology, and secures their customers’ information.

Why Is Vendor Management Important to Cybersecurity?

The majority of industry standards and regulatory requirements require organizations to maintain robust vendor management programs. The 2018 Ponemon Cost of a Data Breach found that when a third-party caused a data breach, the cost increased by more than $13 per compromised record, increasing the total average cost to $161 per compromised record from 2017’s $131 per compromised record. Organizations depend on third-party vendors to create cloud and hybrid IT infrastructures. However, they need to maintain assurance that their business partners will protect their information appropriately.

What Is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) is a unified framework that Cloud Service Providers (CSPs) can use to give Federal agencies assurance over their information security controls.

What is FedRAMP Moderate Authorization-to-Operate (ATO)?

The FedRAMP Joint Authorization Board (JAB) cannot review all CSPs. Therefore, organizations obtaining FedRAMP ATO status must undergo an arduous review process that includes creating a System Security Plan, System Assessment Plan, and review by a third-party assessment organization (3PAO). To meet FedRAMP Moderate ATO status, the CSP needs to meet almost burdensome security requirements across 325 controls (NIST 800-53).

How FedRAMP ATO Vendors Enable Business Decision-Making

The FedRAMP authorization process starts with the CSP establishing a “Business Case.” As a government-funded program, FedRAMP and JAB can review only the most mission-critical CSPs. Therefore, a cloud service needs to prove itself worthy before the JAB will consider its candidacy. As part of creating its “Business Case,” a CSP must:

Prove demand for the product exists
Show current agency use
Provide proof that its services already enable federal agency cloud migration
Provide a business capture plan
Show cross-Agency benefits
Demonstrate mature organizational internal controls
Prove that it provides a new and innovative demonstrable ROI for reducing risk, saving cost, and/or addressing political considerations.
Demonstrate that it provides an underlying service that other CSP products can leverage

Gartner believes that by 2030, CSPs will “be analogous to the electricity market” and that “the current CSP market structure is difficult to sustain in the longer term without radical transformation.” In the current oversaturated market, organizations struggle to find the CSPs that will offer the best, long term return on investment. Since JAB forces a CSP to prove its value before even considering its security, seeking out a FedRAMP ATO vendor can help the enterprise cut down on the number of third-parties it needs to review before making a final decision, thus streamlining the process.

How FedRAMP ATO Vendors Strengthen Vendor Monitoring Programs

Federal agencies need to meet strict regulatory compliance requirements set by the federal government. The U.S. Government Accountability Office (GAO), in conjunction with the Department of Homeland Security (DHS) and the Office of Management and Budget (OMB) review the Federal Cybersecurity Risk Assessment and Action plan to determine whether civilian agencies adequately protect the integrity, confidentiality, and availability of federal information and information systems. Thus, they must find CSPs to not only enable the Cloud First Mandate but ones who can ease their compliance requirements. Obtaining FedRAMP ATO status requires a CSP to engage in detailed audits that provide JAB assurance over their internal controls and processes governing data and its continuous monitoring over those controls. The assurance and documentation allow an enterprise to feel greater confidence in the third-party vendor’s ability to ease the digitalization burdens while protecting data security. Therefore, an organization partnering with a third-party cloud-based vendor who has achieved FedRAMP ATO can more rapidly review and assess the third-party vendor’s risk mitigation strategies to ease the vendor management review. Moreover, as the enterprise struggles to maintain continuous monitoring over its vendors to meet vendor management program requirements, it can feel more confident in a FedRAMP authorized third-party CSP given the stringent requirements over their own monitoring that they need to meet.

How to Find FedRAMP Authorized Vendors

Once FedRAMP approves a CSP, it lists the organization in its marketplace. The marketplace makes it easy to review and compare Cloud Solution Offerings (CSOs) so that an enterprise can review the products to determine which ones best meet its business needs, fully certain that the vendor has already established a mature cybersecurity program that protects its information.

Using Saviynt’s FedRAMP Moderate ATO To Strengthen IAM/PAM/IGA Programs

Saviynt is the first and only IAM/PAM/IGA solution to obtain FedRAMP Moderate ATO. We recognize the holistic need to secure our customers’ data while they work to secure their own ecosystems. For federal agencies and non-federal customers seeking to migrate to the cloud, Saviynt easily integrates with a variety of applications including SAP, Oracle, Epic, AWS, and Azure so that they can rapidly modernize their IT infrastructures. Our FedRAMP Moderate ATO means that our Federal and non-Federal customers can accelerate their cloud migration strategies using a technology that meets business-critical security needs – both from an enablement perspective and a vendor management program perspective.