Any evaluation of a cloud solution, especially a SaaS solution, should always include a robust review of the environment, as well as the solution’s security posture.
Moving sensitive data from an on-premises environment to a cloud environment can be a daunting prospect when it comes to security. It also places a tremendous amount of responsibility in the hands of a cloud service provider (CSP). If the data isn’t properly protected, a single security incident could have a devastating impact. For this reason, many organizations are increasingly seeking out solutions that meet the security standards of the Federal Risk and Authorization Management Program (FedRAMP®).
Many of today’s SaaS vendors leverage the term “FedRAMP authorized” to indicate that their solutions meet a federally defined security standard. But although the FedRAMP follows a defined set of security standards, FedRAMP authorization is not a static state, a one-time certification, or a standard. Rather, FedRAMP authorization refers to the completion of a security review process and the subsequent authorization from a federal agency or the Joint Authorization Board (JAB) to operate a cloud-based solution that handles government data.
FedRAMP® Authorization – the Fundamentals
To obtain FedRAMP authorization, a solution must be sponsored by a federal agency and go through a rigorous review and assessment process. The results provide either a provisional authority to operate or an agency-specific authority to operate, depending on the path taken through the process. Both are specific to federal agencies.
When a vendor states that their solution is FedRAMP authorized, it means that they have gone through the evaluation process, met the criteria and standards, and will be deploying their solution in one or more federal agencies. It is incorrect to use “FedRAMP authorized” as a commercial standard or generic term.
Deeper Insights into FedRAMP® Authorization
The FedRAMP baseline security controls implement the NIST 200 and 800-53 standards, with identified parameters. NIST 800-53 is a listing of more than 325 security controls, with multiple variants, organized into 18 families. The FedRAMP baseline provides guidance on how the controls should be implemented. An assessment by an independent FedRAMP PMO-accredited third-party assessment organization (3PAO) validates compliance with the control implementation guidelines.
Many cloud IaaS providers (also known as hyperscalers) like Amazon, Microsoft, and Google have gone through the FedRAMP process for specific physical data centers. This is good because a CSP running solutions on one of these hyperscalers inherits its infrastructure controls. A SaaS solution vendor can leverage the hyperscaler’s authorization, but this only covers the controls specific to the infrastructure layer, which is around 50 of the more than 325 controls.
If you are evaluating hyperscalers for a private cloud, understanding that the hyperscaler has successfully completed the FedRAMP evaluation provides assurance that the infrastructure has proper security controls in place.
If you are planning to implement a PaaS or SaaS solution, understanding that they will be running on a hyperscaler that has completed the FedRAMP evaluation provides assurance for the infrastructure layer. Yet, it doesn’t convey any level of authorization for the higher levels.
If you’re utilizing the FedRAMP security profile as guidance for a SaaS solution, you should confirm that the vendor providing the solution can demonstrate that the SaaS environment, including the solution, has been evaluated against the FedRAMP baseline by a FedRAMP 3PAO. Even better, it should demonstrate that the solution itself has received FedRAMP authorization and is being utilized by a federal agency. The vendor should be able to validate that the full set of FedRAMP-defined security controls have been implemented and evaluated across all three layers (solution, platform, and infrastructure).
The Bottom Line
FedRAMP authorization cannot be inherited by a solution or application running on a FedRAMP-authorized infrastructure. The authorization applies to only the layers and components defined in the security boundary. Likewise, a solution can only be compliant with the FedRAMP baseline if it has been evaluated against that baseline. While some security controls can be inherited, they don’t convey compliance to other layers of the solution stack.