How to Get FedRAMP Ready
Lin Manuel Miranda is more known for his musical Hamilton these days, but years ago, he also wrote a 14-minute show called 21 Chump Street. It featured a song—“What the Heck I Gotta Do.”
During the show, it’s performed by a young teenager, Justin Laboy, trying to win the heart of his crush. But let’s be honest—his question also has tremendous relevance to those of you trying to gain FedRAMP authorization.
Though not the high school puppy love Miranda wrote about, this federal compliance program can seem just as complicated of ground to tread. You might even have a similar question as Justin did—only you’re trying to understand the requirements on your road to that coveted FedRAMP Authorized status.
As a Third Party Assessment Organization (3PAO) that helps organizations through this process, we previously wrote about FedRAMP Ready—what it is, who should get a Readiness Assessment Report (RAR), and how it can help you. But now, we want to answer “what the heck you gotta do” to actually become FedRAMP Ready.
In this article, we will break down the requirements you must satisfy during your Ready Assessment—something you must do to receive the formal designation of Ready status on the FedRAMP Marketplace.
While the FedRAMP Program Management Office (PMO) has high expectations for a RAR. But reading this article will help simplify the preparation for your cloud service offering (CSO) ahead of your assessment.
What are the FedRAMP Ready Requirements?
Let's establish this first: the Ready Assessment is not intended to cover the entire FedRAMP control baseline. That said, it’s still going to require considerable preparation to meet the many control requirements. Even at this early stage, your 3PAO will be thoroughly documenting your CSO’s capabilities.
So you don’t go in underestimating what you need to prepare, ensure your CSO meets the following requirements at a minimum:
- Your CSO must be fully operational before the start of the assessment. While you are not required to have active customers within your environment, the PMO defines fully operational as “the architectural components of the system are all in place and operating as required, and the technical controls are implemented.”
- Your CSO must have a comprehensive authorization boundary diagram and supporting data flow diagrams. Accurate and detailed diagrams are a critical component to the PMO’s review of a RAR, so ensure your diagrams are up to their standards.
- Your CSO must be compliant with the six federal mandates outlined within the FedRAMP RAR templates. That means your CSO must feature the following things:
- Implementation of FIPS 140-2 validated cryptographic modules for all data-at-rest and data-in-transit that includes all external and internal data flows.
- Compliance with Digital Identity Level 2 or 3, depending on your intended FedRAMP impact level (i.e., Moderate or High). It’d be difficult to disseminate what are dense requirements here, but in summary, your 3PAO will evaluate your CSP’s:
- Identity proofing process
- Authentication methods; and
- Any federation implementations against the specific requirements outlined within the corresponding Level. For more details, you can review NIST Special Publication 800-63.
- Compliance with the SC-20, SC-21, and SC-22 NIST security controls and FedRAMP parameters. That includes the implementation of DNS Security (DNSSEC) on your external/authoritative DNS servers as well as on the internal recursive/caching resolvers. You also need to ensure fault tolerance and role separation are in place for those external/authoritative DNS servers.
NOTE: This federal mandate tends to trip up many CSPs as there are some additional nuances expected to be in place beyond the summary just provided. Discussions about DNSSEC with your 3PAO early in the assessment process will be critical.
- The ability to consistently remediate High vulnerabilities within 30 days, Moderate vulnerabilities within 90 days, and Low vulnerabilities within 180 days. To demonstrate this during the Ready Assessment, you will provide multiple months of vulnerability scans for your CSO’s operating systems, containers, databases, and web applications where applicable.
- The capability to support user authentication via Agency Common Access Card (CAC) or Personal Identity Verification (PIV) credentials. To meet this, you may have your CSO support SAML 2.0 and require agency customers to integrate access with an identity provider of their choice.
- An adherence to the Federal Records Management Requirements, including the ability to support record holds, National Archives and Records Administration (NARA) requirements, and Freedom of Information Act (FOIA) requirements.
- Your CSO must disclose all system interconnections as well as external and corporate systems used to support the CSO. This includes:
- All third-party cloud-based systems;
- Corporate systems owned/managed by the CSP; and
- Any public or custom API sets that allow data to flow to/from the system.
At a minimum, the PMO will want to understand the interconnection details, data types, and, most importantly, whether the system or service possesses an existing FedRAMP Authorization.
** CSPs pursuing the JAB authorization path (both Moderate and High) as well as CSPs pursuing the Agency authorization path at the FedRAMP High impact level, this is for you. The FedRAMP PMO and JAB will not consider a CSP for a FedRAMP Ready designation under most circumstances if the CSO leverages external systems or services that are not FedRAMP Authorized at the same impact level.
- Your CSO must not have any major technical gaps between your CSP’s implemented technical controls and FedRAMP requirements. In other words, your CSO should meet the majority of the capabilities outlined within Section 4 of the RAR. Your 3PAO will evaluate how your CSO meets these capabilities as well as the aforementioned Federal Mandates, and they include the following:
- Identification, Authentication, and Access Control
- Audit, Alerting, Malware, and Incident Response
- Contingency Planning and Disaster Recovery
- Configuration and Risk Management
- Data Center Security
- Change Management
- Continuous Monitoring
Get Ready for FedRAMP Ready
Though what we’ve listed may appear extensive, the requirements we mention here are not meant to be all-inclusive—your Ready Assessment will absolutely consist of more, in fact.
However, they are meant to provide you with a sort of critical priority list as you prepare for your Ready Assessment. Now, you understand a summary of items that, if not met as part of your Ready Assessment, would be considered a “showstopper” by the PMO.
In “stopping the show,” we mean that your Ready process would be derailed because the PMO has instructed us 3PAOs to not submit any RARs for PMO review unless these very items are met by the CSO.
But now, you know “what you gotta do,” as Lin Manuel Miranda wrote. As you continue to prepare to become FedRAMP Ready, make sure to read our article on the phases to a FedRAMP Ready Assessment. There’s insight on how the actual process works that will help you set more specific conditions for your experience.
While FedRAMP Ready is no guarantee of Authorization down the line, it can help your organization enter the lucrative FedRAMP marketplace. If you find you have further questions regarding the specifics, please contact us. We’d be happy to have a conversation that lends the 3PAO perspective to answering any concerns you may have.
About Matt Hungate
Matt Hungate is a Senior Manager with Schellman based in Charlottesville, VA. Prior to joining Schellman in 2019, Matt worked as a Cybersecurity Consultant for a large advisory firm where he specialized in strategy and assessment services for NIST SP 800-53 and FedRAMP. Matt also led and supported various other projects, including the development of an enterprise wide cybersecurity strategy and cloud transition plan for a large federal agency. Matt has over 5 years of experience comprised of serving clients in both the private and public sectors, and his credentials include the CISSP, CISA, and CPA. Matt is now focused primarily on FedRAMP assessments for organizations across various industries.