Last July, the Federal Risk and Authorization Management Program (FedRAMP) revamped the provisional authorization process to make life easier for cloud service providers (CSPs). The change let CSPs use a simple web form to delineate their business cases to FedRAMP’s Joint Authorization Board (JAB).
Now FedRAMP is making life easier for agencies as they work with CSPs by publishing a comprehensive guide to the authorization process, the “FedRAMP Agency Authorization Playbook.” Agencies are required by law to protect Federal data stored in the cloud and authorize cloud services that demonstrate their compliance with FedRAMP security baselines.
It was through their work on the provisional authorization process that FedRAMP officials turned up scores of best practices and tips that would help agencies through authorization. That work scaled into the playbook, a 21-page document that outlines a step-by-step process for issuing an initial FedRAMP authorization from start to finish.
“The creation of the FedRAMP Agency Playbook stems from FedRAMP’s work in streamlining the JAB P-ATO process, as well as the program’s agency engagement over the last two years,” Jay Huie, cloud portfolio manager at General Services Administration (GSA), told MeriTalk. “This playbook captures best practices and lessons learned from the FedRAMP community of over 120 Federal agencies and 170 industry partners, as well as FedRAMP’s own insights to help our customers achieve a FedRAMP Agency Authorization as efficiently as possible.”
The carefully crafted playbook provides information on how to work effectively with the FedRAMP program management office and CSPs in the process, and supplies a wide range of FedRAMP resources and templates involved at the various milestones.
“While developing the playbook, we tested out our methodology with an agency and a CSP,” Ashley Mahan, FedRAMP agency evangelist, told MeriTalk. “Through following the steps outlined in the playbook, an Agency Authorization was granted in 59 business days (kick off to final approval), the fastest authorization on record with the program. We are hopeful that agencies can build upon our experiences and similarly streamline their own processes so we can accelerate adoption of secure cloud services.”
The playbook designates three basic phases of the authority-to-operate process: Pre-Authorization, During Authorization, and Post-Authorization. The first two phases together take three to four months to complete, while the Post-Authorization phase is largely focused on continuous monitoring, which is ongoing. For each step in the phases, the playbook outlines agency and CSP roles and responsibilities, the purpose of the phase and desired outcomes, and best practices and considerations.
In the first stage, called “Partnership Establishment,” agencies should clearly define their mission needs and specific requirements for the cloud service offering (CSO) and begin researching possible providers. They also should check the FedRAMP Marketplace to see if there is a CSO that can meet their requirements that has either started the process or is already authorized.
In initial meetings with potential providers, the agency’s FedRAMP team should try to discern the company’s willingness and commitment to adhering to Federal security requirements. It’s critical that agencies confirm a CSP’s dedication to taking on the FedRAMP authorization process. To this end, agencies should make sure the provider has a committed leadership team managing the authorization process, the playbook states.
In addition, when meeting with potential providers, agencies should “clearly outline the level of effort involved in the authorization process,” according to the playbook.
The playbook goes on to detail key elements of the authorization process, including how to structure the “kickoff” session in which the three parties now involved in the process—the agency team, the CSP team, and representatives of the third-party authorization organization—are introduced. The playbook’s road to completing authorization then goes through a “Quality and Risk Review,” “Remediation” to address any gaps in the CSP’s system, and the “final review.”
The bottom line, FedRAMP officials said, is that the playbook “will help promote transparency and set consistent expectations for all involved,” features that are ultimately crucial to the complex process of attaining FedRAMP’s mission of securing Federal data in the cloud.