What is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide initiative that was established in 2011 to provide a cost-effective, risk-based approach for the adoption and use of cloud services by the federal government. FedRAMP offers a standardized approach to security assessments, security authorization, and continuous monitoring for cloud products and services. It is designed to:

• Reduce duplicative efforts, inconsistencies, and cost inefficiencies.
• Establish public-private partnerships that promote innovation and security.
• Enable the federal government to accelerate the adoption of cloud computing.
• Create transparent standards and processes for security authorizations.
• Allow agencies to leverage security authorizations on a government-wide scale.

Who supports FedRAMP at CMS?

The CMS FedRAMP Program Management Office (PMO) is made up of members of the Information Security and Privacy Group (ISPG). The team works on the procedures to obtain FedRAMP authorization and perform continuous monitoring for cloud services.

FedRAMP versus FISMA

There may be some confusion about the difference between the FedRAMP program and the Federal Information Security Modernization Act (FISMA). While these two federal policies have a lot in common, there are important differences that users need to be aware of.

The Federal Information Security Modernization Act (FISMA) was enacted in 2002 as an effort to modernize all federal government information systems. When thinking about FISMA and FedRAMP, it’s important to remember that FISMA guidance applies to all technologies and systems while FedRAMP deals exclusively with cloud service offerings. Other differences include:

• While both FedRAMP and FISMA follow NIST security guidance from 800-53, FedRAMP has additional, cloud-specific controls.
• The FISMA boundary encompasses the full system, which can include 1 or more cloud service offerings; the FedRAMP boundary is exclusively for the cloud service offering and may include the full stack (infrastructure, platform and software) or just parts.
• FedRAMP requires a Third Party Assessment Organization (3PAO), certified through GSA FedRAMP Program Management Office (PMO), to provide initial and periodic assessments of cloud systems based on federal security requirements; FISMA does not.
• FedRAMP authorization can be leveraged by multiple agencies, while FISMA authorization is agency specific.

How to obtain a FedRAMP Authorization

The primary way in which a cloud service can obtain a FedRAMP authorization is through an Agency authorization:

Agency ATO

Any federal agency can work with a cloud services provider to provide an ATO for the cloud service and submit the package to the FedRAMP Program Management Office (PMO) for authorization. Agency Authorization also provides the additional benefit of collaborative continuous monitoring efforts. To get involved in any of these meetings for systems not sponsored by CMS, the ISSO should email the vendor's compliance team which is available at marketplace.fedramp.gov (Click on the vendor. Contact info is to the left).

FedRAMP Authorization levels

FedRAMP follows the Federal Information Process Stands (FIPS) 199 for the categorization of the baseline requirements as:

Low

This FedRAMP baseline was developed to authorize low impact industry solutions that do not contain any sensitive personally identifiable information (PII), including Low-Impact Software as a Service (Li-SaaS).

Moderate

The moderate level is for cloud service offerings where the loss of confidentiality, integrity, and availability would result in serious adverse effects on an agency’s operations, assets, or individuals. Serious adverse effects at the moderate level could include significant operational damage to agency assets, financial loss, or individual harm that is not loss of life or physical.

High

The high level is typically reserved for law enforcement and emergency services systems, financial systems, health systems, and any other system where loss of confidentiality, integrity, or availability could have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. The high level holds the government’s most sensitive, unclassified data in cloud computing environments, including data that involves the protection of life and financial ruin.

Is FedRAMP Authorization required?

Yes, according to an OMB Memorandum, any cloud service that holds federal data must be FedRAMP authorized. Existing FedRAMP authorized cloud services can be viewed in the FedRAMP Marketplace.

There are exceptions to the authorization requirements above. If a cloud service offering meets all of the following criteria, it can be implemented by CMS without a FedRAMP Authorization:

• The offering has a private cloud deployment model (i.e., the cloud environment is operated solely for the use at CMS).
• The offering is privately implemented within a managed CMS general services system (i.e., within CMS Cloud).
• The offering does not provide cloud services from the cloud-based information system to any external entities (including bureaus, components, or subordinate organizations within their agencies).

In the event that your chosen cloud service offering does not require a FedRAMP Authorization, you should continue to comply with the current FISMA requirements and the appropriate NIST security standards and guidelines for your private cloud-based information system.

FedRAMP Authorization best practices

There are some important steps you can take to make sure your FedRAMP Authorization efforts are successful:

Reach out to teams who can help

Making an effort to reach out to others who can help you determine the appropriate next steps for FedRAMP Authorization will make the process easier and help you avoid delays.

• Contact the CMS Cloud team to see if their solution meets your needs.
• Contact the CMS FedRAMP PMO if you're thinking of using a different cloud service.
• Contact the Technical Review Board to discuss the necessary steps to ensure the proper architecture and security to protect government data.

Define the Authorization Boundary

Cloud Service Providers (CSPs) must have an authorization boundary diagram that depicts their scope of control over the system components, as well as interconnections to leveraged services external to the boundary. A well-defined boundary allows the stakeholders to understand data flows and how it's protected.

Engage the CMS FedRAMP PMO

CMS stakeholders and CSPs interested in using a cloud offering or provider that does not have a FedRAMP authorization should engage the CMS FedRAMP PMO early and often. A list of approved cloud service offerings and providers can be found here on this page, or on the FedRAMP Marketplace.

Provide transparency into security

CSPs should clearly communicate how a cloud service impacts federal information and provide CMS stakeholders insight into a system’s architecture.

Develop mature processes

Business Owners and CSPs have a responsibility to perform continuous monitoring and maintain a system’s security posture, requiring mature security processes. The CMS FedRAMP PMO can support stakeholders in this process and answer questions.

Describe how security requirements are met

CSPs should describe how they manage and support security and what protections they have in place to achieve a level of security sufficient for CMS systems. In addition to the FedRAMP baseline, the CSP will also have to meet CMS baseline security requirements to receive an Authority to Operate (ATO).

Choosing a cloud service provider or offering

When selecting a cloud service offering or provider, you can either use a service that has been FedRAMP authorized, or you can choose to sponsor the initial authorization with a CMS Agency Authorization for a cloud service offering.

Sponsoring a new cloud service provider or offering

Sponsoring a cloud service will require a CMS Authorization to Operate (ATO), which will take time. Additionally, a new cloud service provider will need to navigate through the FedRAMP Authorization process. This will add more time to production and will require monthly continuous monitoring responsibilities.

There are a number of important requirements you must meet if you’re interested in sponsoring a cloud service offering for FedRAMP Authorization at CMS:

• The CSP is recommended to use Open Security Controls Assessment Language (OSCAL) for documentation.
• It is recommended that the CSP has an independent FedRAMP Readiness Assessment already in place.
• The Business Owner and ISSO must commit to the management of the authorization and continuous monitoring process.
• CMS Cloud can provide the underlying infrastructure and platform needed to host the application.

Choosing an existing FedRAMP provider

The FedRAMP Marketplace is the repository of cloud service providers (CSPs) and cloud service offerings (CSOs) that are:

FedRAMP Authorized - CSO is authorized for FedRAMP

FedRAMP Ready - CSP is not yet authorized for FedRAMP, but the CSP have completed their FedRAMP Readiness Assessment Report (RAR) and is ready to partner with an Agency (such as CMS)

FedRAMP In Process - CSO is being reviewed for an Authority to Operate (ATO) by an Agency or Joint Agency

"FedRAMP Ready" status for new CSPs that are not FedRAMP Authorized is highly recommended. This status indicates that a 3PAO has reviewed documentation from the CSP and provided a readiness report. This can be requested for review as part of evaluating the selection of a CSO.

FedRAMP Package Request process

The FedRAMP Package provides security posture details for a cloud service that has been FedRAMP Authorized. You may want to request a FedRAMP package if you are using, considering, and/or assessing a cloud service offering. Initial access to the package lasts for 60 days. Permanent access can be granted if the agency has an ATO letter on file with the FedRAMP Program Management Office (PMO). According to the FedRAMP Authorization Act, all systems that directly leverage a FedRAMP-authorized cloud service must include this in an ATO and notify the CMS FedRAMP PMO (fedramp@cms.hhs.gov) of the authorization and changes to the authorization, including renewals and revocation.

Note: Creating a request for a FedRAMP Package requires a Max.gov account. Follow the steps below:

Products

CMS Sponsored Initial Authorization FedRAMP Products

CMS Sponsored Products -- In Process