How FedRAMP was developed?
Certification and Accreditation (C&A) was originally issued by the DIACAP (Department of Defense Information Assurance Certification and Accreditation Process) which applied risk management frameworks (RMFs) to information systems. National Institute of Standards & Technology (NIST) RMF further standardized the process. But, security claims needed to be backed up with actual evidence in the form of third party certifications.
This evidence usually involved FIPS 140-2 for conventional standalone on-prem products encryption. Common criteria certification was used to handle general security claims. These two certifications did one very important thing:
They provided a validation criteria that security and data encryption claims could be measured against at any point in time. Organizations could also do a standalone FISMA (Federal Information Security Management Act) valuation for on-premise solutions, however, this was neither scalable to other federal organizations nor recognized, therefore multiplying the workload and burden to go through multiple authorizations.
How do you scale security authorizations for the cloud?
The Federal Risk & Authorization Management Program (FedRAMP) is a government wide program that provides a standardized-approach to continuous monitoring, authorization and security assessment for cloud services and products. This allows Cloud Security Solutions to be assessed and that assessment can be used across multiple organizations. FedRAMP is based on the NIST SP800-53; the gold standard for security control frameworks. More importantly, FedRAMP provides a consistent and clear way for cloud service providers like StoneFly, as well as customers to measure security on on-going basis. It provides cloud service providers a measurable way to implement security the right way.
Applying the FedRAMP model to their evaluation of cloud services and products, government organizations can achieve several benefits, including:
- Uniform authorization and assessment of cloud information security and controls
- Significant cost and time savings when compared to conducting independent assessments, which can often be redundant
- Faster adoption of cloud-solutions
- Improved trust in the validity of assessments and alleviated cloud security concerns
- Increased Visibility into all aspects of cloud security controls
FedRAMP evaluates cloud service providers through a comprehensive two-step process. The model is based-on a uniform set of standards, by which, it is decided if a cloud service or product has adequate information security and controls.
- Audits and authorization: Outside federal organizations approved by FedRAMP audit the cloud system to make sure that the cloud provider can endure a series of security threats
- Ongoing Audits and Authorization: In order to maintain an adequate status, the authorized cloud system shall continue to undergo audits and assessments
StoneFly Storage in Azure and Azure Government earned a P-ATO from the Joint Authorization Board
The Joint Authorization Board or JAB is the primary decision-making and governance body for FedRAMP. CIOs from the Department of Homeland Security, Department of Defense and the General Services Administration serve on the JAB. The board grants Provisional Authority to Operate (P-ATO) to Cloud Service Providers that have demonstrated FedRAMP compliance.
Microsoft Azure is the first public cloud with platform and infrastructure services to receive a P-ATO. StoneFly’s Storage in Microsoft Azure maintains a P-ATO at the Moderate-Impact Level. Also, StoneFly’s Storage in Azure Government is granted a P-ATO at the High-Impact Level by the JAB, the highest level for FedRAMP accreditation. This accreditation authorizes StoneFly’s Storage in Azure Government to process highly-sensitive data. The FedRAMP audit of StoneFly’s Storage in Azure Government and Azure includes the information security management system that includes development, infrastructure, management, operations and support for in scope services.
StoneFly has been working with government organizations for the last 2 decades, and have received much appreciation for security and more importantly for Certification and Accreditation or “C&A”. StoneFly and Azure together provide a FedRAMP Certified turnkey solution that offers governance, compliance and data protection solutions for customers in both public and private organizations.