Staying safe online isn’t as simple as it once was. New services like cloud computing have opened up vulnerabilities that require meticulous management. Federal agencies are no stranger to the challenges of protecting data. In an attempt to help federal agencies manage the risks of cloud computing, the US government implemented FedRAMP and FISMA.
What is FedRAMP?
FedRAMP or the Federal Risk and Authorization Management Program is a risk assessment program organized by the General Services Administration (GSA) that outlines how cloud services should be evaluated for security.
The government released FedRAMP to support the Cloud First policy of 2011 to help agencies to keep cloud services secure. Today federal agencies use FedRAMP to evaluate whether cloud service providers meet security requirements and to verify whether providers are in accordance with federal law.
Agencies are assessed by Third Party Assessment Organizations (3PAO) that have been accredited but the American Association of Laboratory Accreditations (A2LA). Cloud providers become FedRAMP authorized so that federal institutions can choose to search for secure cloud solutions easily.
Having FedRAMP-approved vendors means that federal agencies can look up a list of authorized vendors before adopting a new solution. Having cloud services pre-authorized also cuts the cost of running unnecessary security assessments.
FedRAMP Compliance Requirements
The requirements that cloud service providers are subjected to are steeper than those in FISMA. Entities must only implement controls that mitigate the risks of cloud service but review those controls over time to ensure long-term protection. There are a number of elements that CSPS and federal agencies should be aware of:
- Continuous monitoring – Cloud providers must continuously monitor the security controls they have in place, evolve with the environment changes, and update the security controls to address emerging threats. They must also remediate any vulnerabilities found and create a Plan of Actions & Milestones.
- Security controls – Implement a mixture of physical access, logical access, and network access controls. Including photo ID’s, two factor authentication, change management, risk management, security incident response plan, firewalls (with FIPS 140-2 encryption), Intrusion Detection Service (IDS), Intrusion Prevention Service (IPS), and an anti-virus solution.
- System Security Plan – As part of the System Security Plan (SSP) the CSP must produce a description of all the security controls protecting the system. Alongside the SSP, CSPs should take additional documentation including Information Security Policies and Procedures, a Privacy Impact Assessment, Incident Response Plan, Control Implementation Summary, Configuration Management Plan, User Guide, and a Digital Identity Worksheet.
- Vulnerability scanning – CSPs have an obligation to conduct regular vulnerability scanning of systems once a month. The reports must then be sent to a JAB or an AO. The vulnerability scanners configuration must be approved by a 3PAO. Once a vulnerability has been discovered it must be mitigated in 30 days, 90 days, or 180 days depending on whether the vulnerability is high-risk, moderate-risk, or low-risk.
What is FISMA
The Federal Information Security Management Act or FISMA is a federal law passed in 2002 that sets standards governing information security. In simple terms, the legislation includes a framework for protecting data and completing risk assessments. More specifically, FISMA uses the Federal Information Processing Standard (FIPS) 199 to categorize information systems and puts forward security controls from the National Institute of Standards and Technology (NIST) Special Publication (SP 800-53).
Some of the provisions include maintaining an inventory of IT systems, categorizing systems according to risk, creating a system security plan, using security controls, running continuous monitoring, and completing risk assessments.
FISMA not only applies to federal institutions but also covers other enterprises that provide services to those solutions. Agencies subject to FISMA must conduct annual reviews and report the results to the Office of Management and Budget (OMB). Failure to comply with FISMA regulations can result in fines and the termination of existing contracts.
FISMA Compliance Requirements
Federal agencies need to be aware of FISMA requirements to make sure they have adequate security procedures in place to protect their data. Some of the top FISMA requirements are:
- Create and maintain an inventory of IT systems – Federal agencies must create an inventory of all the systems that they own. They must also note integrations and interdependencies with external systems that aren’t directly controlled by the agency (such as a cloud service).
- Risk Categorization – Federal agencies must categorize data and IT systems according to risk level. Risk levels can be found in FIPS 199 “Standards for Security Categorization of Federal Information and Information Systems.” Low impact systems don’t contain sensitive data, moderate systems contain some degree of sensitive data, and high-impact systems include data that could put the government at risk.
- Security Controls – Agencies must implement security controls from the NIST SP 800-53 document. The document includes advised controls, but it is important to note that an agency doesn’t have to implement them all. They must simply select the controls that are most relevant to the environment they operate within.
- Create a System Security Plan – Agencies should create a System Security Plan (SSP) and update it regularly. The plan should detail security controls and a Plan of Action and Milestones (POA&M).
- Risk Assessments – Agencies need to conduct risk assessments to identify security risks. The NIST SP 800-30 document provides guidance on how to conduct risk assessments. Agencies must use these assessments to determine if they need to add any other security controls.
FedRAMP vs FISMA: The Similarities
FedRAMP and FISMA share a number of similarities. They are both federal security frameworks with the goal of protecting government data. To keep data protected, both FedRAMP and FISMA use security controls outlined in the NIST 800-53 (the only difference is that FedRAMP has more controls for CSPs).
Each framework categorizes information systems according to the security levels of risk. The more important a system the more security required to protect. Both frameworks include the following controls:
- Access Control (AC)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Security Assessment & Authorization (CA)
- Configuration Management (CM)
- Contingency Planning (CP)
- Identification & Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Physical & Environmental Protection (PE)
- Planning (PL)
- Personnel Security (PS)
- Risk Assessment (RA)
- Systems & Services Acquisition (SA)
- Systems & Communications Protection (SC)
- Systems & Information Integrity (SI)
For each regulation, agencies must attain an ATO. Under each set of regulations the ATO is issued but the government once the security has been verified by a third party. However, the authorization process for doing so is different.
FedRAMP and FISMA Differences
FedRAMP regulations are centered on managing cloud service security controls and FISMA focuses on general IT security. Fundamentally, FedRAMP was drafted to make it easier for federal agencies to find cloud service providers with the FedRAMP seal of approval.
FISMA is more focused on general IT security controls and offers guidelines for government agencies to protect the data they hold. In other words, FedRAMP is FISMA for cloud service providers. The idea behind FedRAMP is that a government agency can check if a cloud provider is government-approved before adopting a new solution.
To some extent, FedRAMP also has a higher standard of security than FISMA because it isn’t limited to NIST requirements and any security controls in place have to be approved by a 3PAO. For agencies and cloud service providers, FedRAMP is superior for protecting cloud services because it focuses on security concerns specific to cloud services.
Another significant difference is the assessment process. Under FedRAMP, cloud providers must pass a security assessment held by a third-party assessment organization (3PAO). In contrast, to achieve FISMA accreditation an agency must complete a security assessment. The assessment can be performed by the agency directly or by an authorized third party.
The provider then needs to obtain an authority to operate; which comes in two forms; Joint Authorization Board Provisional Authority to Operate (JAB P-ATO) and the FedRAMP Agency ATO.
To earn the JAB P-ATO, the provider gets authorization approved by the FedRAMP Project Management Office, and the Joint Authorization Board (JAB), which includes other federal entities like the General Services Administration (GSA), Department of Homeland Security (DHS), and the Department of Defense (DoD). The process can be extensive and costly.
On the other hand, the FedRAMP agency ATO is much simpler. A federal agency sponsors the cloud service provider. Usually, FedRAMP ATO’s are used by cloud service providers that design a product for an agency. After achieving accreditation the cloud service will become a FedRAMP Authorized solution that other agencies can use.
FedRamp and FISMA: Two Sides of the Federal Regulatory Compliance Coin
When trying to comply with FedRAMP and FISMA it is useful to remember that they are two sides of the same coin. Each provides guidelines to govern security risks to federal data. No matter what path an agency wants to take it must undergo a security assessment process and obtain an ATO.
Although FedRAMP and FISMA may share the goal of protecting government data, they each have a different role. FedRAMP focuses on making sure that cloud service providers are equipped to support the needs of federal agencies and FISMA focuses on making sure that federal agencies are using a secure system.
Making sure you comply with FedRAMP requirements ensures that your cloud service provider is protecting your data. Similarly, complying with FISMA will ensure sure that internal security controls are satisfactory and reduce the risk of data being compromised or lost.
FedRAMP and FISMA FAQs
What is the difference between FedRAMP and NIST?
There is a close comparison between FedRAMP and NIST 800-53. However, they are not the same. The NIST rules offer businesses a framework for data security. FedRAMP is a standard of data security that cloud platforms that hope to get business from US government agencies are expected to meet.
Does NIST 800-171 require FedRAMP?
FedRAMP requires NIST 800-171. The NIST guidance explains how non-government organizations should handle government information and it specifically relates to Controlled Unclassified Information (CUI). NIST 800-1721 is a subset of NIST 800-52 guidance. Cloud providers need to show their security procedures are adequate to protect the public-sector data that they will hold if they are selected as a service by a government agency.
What does FedRAMP moderate impact level mean?
When assessing a cloud platform for use, IT service buyers in a government agency have to apply FISMA rules as part of the suitability evaluation for that service. A Risk Categorization step in the FISMA assessment process examines the suitability of the system for holding sensitive data. Systems that are cleared for holding sensitive data are termed “high impact.” A low impact system should only be used for processing or storing non-sensitive data. Moderate impact systems lie between these two categories.