What is FedRAMP
The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. government-wide program that provides a standardized approach to security assessment, authorization, and requires continuous monitoring for cloud products and services leveraged by Government end users. The FedRAMP program was created to accelerate the adoption of secure cloud solutions by federal agencies through reuse of assessments and authorizations, saving agencies money and speeding their journey to the cloud. As of June 2014, all federal agencies are mandated by the White House Office of Management and Budget to use FedRAMP authorized Cloud Service Providers when providing services that require an Authority to Operate (ATO) as part of ensuring they are meeting this compliance standard.
Cloud Service Providers (CSPs) are required to undergo a rigorous assessment by an approved third-party assessment organization (3PAO) to achieve their authorization, along with satisfying the monthly and annual reporting and assessment requirements as part of the FedRAMP Continuous Monitoring Program
QTS Government Cloud was granted a FedRAMP Joint Authorization Board (JAB) Provisional Authority to Operate (P-ATO) in February 2015 and will continue meeting FedRAMP compliance requirements. QTS Government Cloud is also authorized to host Department of Defense (DoD) Impact Level 2 (IL2) workloads.
Once a P-ATO is granted, agencies can leverage the certification in their own security authorization processes, using that baseline as a starting point for obtaining an ATO using their respective security authorization processes. FedRAMP also provides for continuous compliance monitoring. Once granted a P-ATO, Cloud Service Providers (CSPs) such as QTS are monitored and assessed annually and must demonstrate their service offerings remain in compliance. Using the baseline for security controls within FedRAMP allows agencies to better focus on agency-specific requirements and reduces certification and accreditation costs. The FedRAMP standards and processes leverage the work and initiatives of other federal agencies as well as compliance statutes and programs.
- Accelerate the adoption of secure cloud solutions through reuse of assessments and authorizations
- Increase confidence in security of cloud solutions
- Achieve consistent security authorizations using a baseline set of agreed upon standards to be used for cloud product approval in or outside of FedRAMP
- Ensure consistent application of existing security practice
- Increase confidence in security assessments
- Increase automation and near real-time data for continuous monitoring
- Increase re-use of existing security assessments across agencies
- Save significant cost, time, and resources – “do once, use many times”
- Improve real-time security visibility
- Provide a uniform approach to risk-based management
- Enhance transparency between government and Cloud Service Providers (CSPs)
- Improve the trustworthiness, reliability, consistency, and quality of the Federal security authorization process
What is FISMA
The Federal Information Security Management Act (FISMA) is United States legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats. FISMA was signed into law part of the Electronic Government Act of 2002.
FISMA, along with the Paperwork Reduction Act of 1995 and the Information Technology Management Reform Act of 1996 (Clinger-Cohen Act), explicitly emphasizes a risk-based policy for cost-effective security. FISMA, requires executive federal agencies to:
- Plan for security
- Ensure that appropriate officials are assigned security responsibility
- Periodically review the security controls in their information systems
- Authorize system processing prior to operations and, periodically, thereafter
FISMA assigns responsibilities to various agencies to ensure the security of data in the federal government. The act requires program officials, and the head of each agency, to conduct annual reviews of information security programs, with the intent of keeping risks at or below specified acceptable levels in a cost-effective, timely and efficient manner. The National Institute of Standards and Technology (NIST) outlines nine steps toward compliance with FISMA:
- Categorize the information to be protected.
- Select minimum baseline controls.
- Refine controls using a risk assessment procedure.
- Document the controls in the system security plan.
- Implement security controls in appropriate information systems.
- Assess the effectiveness of the security controls once they have been implemented.
- Determine agency-level risk to the mission or business case.
- Authorize the information system for processing.
- Monitor the security controls on a continuous basis.