Three years in, FedRAMP offers 3 paths to compliance

In its December newsletter, the Program Management Office for the Federal Risk and Authorization Management Program (FedRAMP) rolled out a new FedRAMP logo and announced the addition of four cloud systems to its list of authorized service providers, bringing the total of authorized solutions to 27 since the program was first announced in late 2011. These cloud systems break down into three categories according to the approach used to achieve FedRAMP authorization:

1. Employing the services of an accredited independent third-party assessment organization (3PAO) to assess the security controls implemented by a cloud service provider and submitting the Security Assessment Report and other documentation prepared by the 3PAO to the FedRAMP Joint Authorization Board for approval (termed “JAB Provisional Authorizations”).
2. Working directly with a federal agency to produce the security documentation and assessment evidence needed to receive an agency authorization to operate (ATO), which can then be reviewed by the Joint Authorization Board for FedRAMP compliance and made available for other agencies to leverage.
3. Creating a security authorization package and submitting it to the FedRAMP program for review and verification of completeness, as a time-saving step facilitating subsequent review of a cloud service provider (CSP) by a federal agency to make an authorization decision.

The availability of multiple paths to FedRAMP compliance seems to support the program’s commitment to encouraging as many service providers as possible to participate. Both the 3PAO and CSP-supplied paths can be undertaken without an existing federal agency contract in place, although the finalization of the FedRAMP authorization process under the third approach still requires the involvement of an agency customer. The CSP-supplied approach is significantly less expensive than using a 3PAO – independent assessments typically require six-figure investments by CSPs – but leaves the CSP without an actual authorization to operate. To date, only one of the 27 cloud systems on the FedRAMP list falls under the CSP-supplied category, while there are 15 systems with JAB provisional ATOs and 11 agency-authorized systems (some of which have been authorized by more than one agency).