Tip

Selling government cloud services: FedRAMP vs. FISMA

Rob Barnes and Tom McAndrew, Guest Contributors, Coalfire Federal

As an accredited third-party assessment organization for FedRAMP -- the U.S. government's risk management program for cloud procurement -- we get many questions from federal agencies and cloud providers about the difference between FedRAMP and

    Requires Free Membership to View

FISMA, a federal law that defines the framework for protecting government data overall. The answer lies in the differences between the controls tested and their authorization processes.

Even if a cloud provider isn't planning to compete in the public sector with government cloud services, it's still important to have at least a basic understanding of both programs. Here's why: The federal government is the largest single producer, collector, consumer and disseminator of information in the United States, so any changes in regulatory requirements that affect the agencies have the potential to significantly affect the commercial sector as well.

Same standards, additional controls

The Federal Information Security Management Act (FISMA) of 2002 mandates a process to strengthen the security posture of government information systems, and compliance is required by law for federal agencies.

Rob Barnes,
Coalfire Federal

When most agencies and their vendors discuss being "FISMA-compliant," what they are usually referring to is meeting the controls identified in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Rev. 3, Recommended Security Controls for Federal Information Systems. This happens because the law is enforced through various processes described in the Office of Management and Budget (OMB) Circular A-130, which establish definitions, processes and requirements for federal agencies to follow. Through Circular A-130, FISMA recommends agencies follow guidance that NIST has issued for selecting an implementation of security controls based on the system impact level. These include Federal Information Processing Standards (FIPS) 199, which explains how to categorize and secure systems according to "impact levels," as well as the aforementioned NIST SP 800-53 Rev. 3.

The control selection, implementation and testing are areas where many IT professionals responsible for FISMA compliance encounter difficulties, especially when meeting compliance is essential for government agencies to receive an Authority to Operate (ATO), a formal declaration allowing agencies to use a new system.

Tom McAndrew,
Coalfire Federal

Congress unanimously passed the Federal Information Security Amendments Act of 2013 in April and as of August 2013, it was with the Senate. The proposed legislation updates the FISMA law from 2002. While its core remains a process to strengthen the security posture of government information systems, it provides more requirements on the continuous monitoring of government systems -- instead of the current check-the-box approach -- and requires each department to have a chief information security officer to develop and oversee agency-wide IT security programs.

Meanwhile, the Federal Risk and Authorization Management Program (FedRAMP) is an authorization program that requires cloud providers to receive an independent security assessment, conducted by a third-party assessment organization (3PAO), to sell government cloud services to a federal agency. A positive assessment rewards the provider with a Provisional Authority to Operate (P-ATO) that government agencies may consider.

FedRAMP grew out of the federal government's "Cloud First" policy -- issued in 2011 by former U.S. CIO Vivek Kundra -- and a memo from his successor, Steven VanRoekel, later that year. Cloud First dictates that federal agencies give preference to cloud-based technologies over their on-premises counterparts -- all other factors being equal. The follow-up memo, Security Authorization of Information Systems in Cloud Computing, requires federal agencies to use only FedRAMP-authorized cloud services.

Like FISMA, FedRAMP assessments follow guidance established in NIST SP 800-53A Rev. 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations. In addition, the General Services Administration -- the independent federal agency that oversees FedRAMP -- has developed and published additional security control requirements for implementation and testing.

Table 1: The following table compares the number of security controls assessed at each impact level across NIST's 18 families of security controls:

Impact system level

FISMA assessment

FedRAMP assessment

Low

115

116

Moderate

252

297

High

324

N/A*

*Currently, FedRAMP authorizations are for low- and moderate- impact level systems.

Source: Chart compiled from NIST SP 800-53A Rev. 3, Recommended Security Controls for Federal Information Systems and Organizations.

NIST finalized the next version of these guidelines -- NIST SP 800-53 Rev. 4 -- in late April. We have compiled a summary table (See Table 2) showing the changes in the number of security controls assessed at each impact level in 800-53A Rev. 3 versus Rev. 4, as well as the corresponding number of controls assessed for FedRAMP.

Table 2: Comparison of control assessed by NIST SP 800-53 Rev. 3, NIST 800-53 Rev. 4 and FedRAMP.

In addition, as you review the assessment procedures, you will note that all procedures are identified as examine, test and interview. On average, a FedRAMP assessment of a moderate-impact system may require the assessor to

  • Examine documentation to meet 1,396 requirements
  • Interview personnel to meet 273 requirements
  • Test select controls to meet 188 requirements

Similar goals, different authorization processes

Receiving an ATO from a senior agency official is the goal of either assessment, as it allows agencies and vendors to contract for services. The result of a FISMA assessment is an ATO from one authorizing agency to the vendor -- a one-to-one process. In FedRAMP, any agency can use a government cloud service provider that receives a P-ATO -- a one-to-many process that supports the "do once, use many" framework stated in the Cloud First policy. Once the P-ATO is issued, senior agency officials are able to issue an ATO as they enter into a contract for services.

  • FISMA authorization process: Under FISMA guidelines, an individual agency's senior officials may authorize an information system and accept the risks to the agency based on the security control implementation. Agencies may require vendors to meet requirements unique to the agency, and what is required for one agency may not meet another agency's needs. As a result, vendors tend to carry multiple ATOs based on various agencies' individual standards and requirements. In an effort to maintain each ATO, a vendor must be re-assessed at least every three years. If a vendor wants to secure many ATOs from multiple agencies, it must have the budget and resources for the many assessments required to maintain them.
  • FedRAMP provisional authorization process: The FedRAMP process is intentionally more rigorous, as it is intended to be a one-stop-shop for agencies to procure services from authorized cloud providers that meet FedRAMP requirements.

The Joint Authorization Board (JAB) -- made up of officials from the GSA, the Department of Homeland Security and the Department of Defense -- will provide a P-ATO to a cloud provider if a 3PAO's independent assessment determines the provider can successfully demonstrate that its cloud services environment meets the more stringent set of baseline controls in FedRAMP for low and moderate impact systems and provides the additional enhancements to many controls that focus specifically on cloud systems. The 3PAOs must assess and document the results of the environment and submit the results to the JAB for review. Once the board has reviewed and accepted the assessment, it issues the P-ATO.

After a government cloud provider receives a P-ATO, any federal agency may procure services from that cloud service provider. To receive an ATO, the cloud provider will likely have to agree to a contract that includes additional, agency-specific requirements. Additionally, once a P-ATO is issued, the cloud provider must meet the stringent requirements of the FedRAMP continuous monitoring program. These requirements are detailed in the GSA's FedRAMP Continuous Monitoring and Strategy Guide.

About the authors:
Rob Barnes is a director at Coalfire Federal, where he serves as the national practice leader for federal assessments. He is responsible for planning and conducting assessments at Coalfire, as well as providing strategic guidance to commercial and government organizations.

Tom McAndrew is an executive vice president at Coalfire Federal, an accredited FedRAMP 3PAO and subsidiary of Coalfire Systems Inc., based in Washington, D.C. He is responsible for managing all aspects of Coalfire's federal, defense, intelligence and public sector operations. Tom is recognized as an industry expert in cloud security and assessment across commercial and federal sectors, particularly within the Department of Defense and intelligence communities.

Coalfire Federal is an accredited FedRAMP 3PAO providing service to organizations pursuing FedRAMP, FISMA and DIACAP authorization and continuous monitoring.

This was first published in August 2013

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.