The purpose of FedRAMP is simple – to act as a common set of security controls that can be accepted government-wide. However, since the July 2014 FedRAMP rollout, this security risk management program has gotten increasingly complex.
With the initial FedRAMP rollout, the Joint Authorization Board (JAB), which is comprised of the CIOs from the Department of Homeland Security (DHS), Department of Defense (DoD), and the General Services Administration (GSA), began to assess cloud platforms against the common set of security controls. Not long after, a second path was added, Agency FedRAMP Authorization, which allowed an agency to issue an authority to operate (ATO) after assessing the security controls. Finally, a third option was added, the CSP Supplied Package.
With the three unique paths to receiving a FedRAMP P-ATO, the question comes up, “Which type of FedRAMP P-ATO’d cloud platform is right for an agency’s applications?”
Lets jump right in and not only define each of the three paths but also highlight some of the most notable differences:
A JAB Provisional Authorization is the most rigorous technical review of the three options. A JAB Provisional ATO (P-ATO) indicates that the cloud platform has undergone a technical review by the FedRAMP Project Management Office (PMO) and has been assessed by a FedRAMP accredited third-party assessor (3PAO), representatives from the Department of Homeland Security (DHS), Department of Defense (DoD), and the General Services Administration (GSA).
The goal of the JAB P-ATO is to have a common set of security controls assessed and approved for use government-wide. Cloud service providers (CSP) that offer a JAB P-ATO cloud solution are capable of supporting many different government agency projects using the same cloud platform. There are fewer JAB P-ATO’d clouds currently available, however, an agency that selects a JAB P-ATO’d cloud platform will inherit the approved security controls of the cloud platform. This can offer a time and cost savings for the agency.
Agency FedRAMP Authorization indicates that the CSP has worked with that specific agency to develop a cloud platform that meets all agency security controls. The FedRAMP PMO has performed an initial review of the cloud documentation before awarding a P-ATO.
Agency P-ATOs have been assessed to ensure that security controls meet that agency’s security requirements. This may provide an easier path for departments within that agency to quickly deploy new applications. There could certainly be time and cost savings to deploy new applications for the agency that authorized the original P-ATO. As other agencies have not assessed the security controls, however, there is less of a guarantee that the P-ATO’d cloud will be approved for use by another government agency.
CSP Supplied Packages P-ATO’d clouds have documentation that have been assessed by an accredited 3PAO before submitting to the FedRAMP PMO. Through this path, the CSP and its 3PAO have determined that its security controls are compliant.
Although this route can been seen as a quick path to a FedRAMP P-ATO, the CSPs security controls have not been assessed by a government agency nor by the JAB. As such, there is even less of a guarantee that a government agency will choose to accept the P-ATO or to use the CSP to house their applications. While selecting a CSP Supplied Package P-ATO’d cloud allows a government agency to select that CSP, that agency may ultimately have an increased time and cost to deploy on that platform as they may need to assess the full infrastructure as well as their application to ensure full security compliance.
Selecting the right CSP for an agency’s application should be carefully considered. Choosing to work with a JAB P-ATO’d cloud helps to ensure the most stringent security assessment has been performed on the platform. The drawback is there are fewer CSPs currently to choose from. An Agency P-ATO’d cloud provides a secure environment that has been assessed to specific agency security controls but may not be accepted government-wide. The CSP Supplied Package P-ATO offers a quick initial path to FedRAMP, however, an agency may end up spending more time and money assessing the security controls of the infrastructure, negating any time or cost savings achieved by selecting that CSP.
Our recommendation is to select the P-ATO’d cloud platform that is capable of meeting the agency’s security control requirements or is flexible enough to layer the agency’s security controls on top of the base infrastructure.