Last Updated on January 13, 2024
What can you do right—or avoid doing wrong—to streamline your journey to a FedRAMP Authority to Operate (FedRAMP ATO)?
This post shares three tips and lessons learned from Mike Craig, CEO at Vanaheim Security.
One: Make sure you have top-down organizational alignment from the outset
For many companies, the journey to a FedRAMP ATO starts something like this: The senior leadership decides that it would be great to start selling into the US government market. So, they tell their program managers, etc. to go get a FedRAMP authorization. Then comes all the back-and-forth about costs, requirements, resources, etc.
“This creates a start-and-stop relationship with your agency sponsor,” Mike points out. “And it creates a lot of the messes that I’ve seen.”
Having top-down organizational alignment and understanding is a critical step that should precede even your analysis of whether or not to “do” FedRAMP.
Two: Make sure you’re using only FedRAMP Authorized third-party cloud native services
The FedRAMP program will authorize cloud native services inside many of the major cloud providers (Microsoft Azure, Amazon Web Services, Google Cloud, etc.). Leveraging these services in your new offering can help accelerate your FedRAMP journey if you’re starting from scratch.
Likewise, if you’re looking to “federalize” or “FedRAMP-ify” an existing solution, you need to make sure that all the cloud native services you’re using are FedRAMP Authorized. Check the FedRAMP Marketplace and vendor websites to get started.
Three: Make sure your encryption is FIPS Validated
According to Mike, the FedRAMP Program Management Office is currently very focused on ensuring compliance with the Federal Information Processing Standard (FIPS) Publication 140-3. To meet FedRAMP requirements, any solution must store, process, and/or transmit sensitive US government data in a FIPS 140-3 validated manner throughout.
To achieve FIPS Validation (the specific term for meeting FIPS requirements), a cryptographic module must be tested and approved at an accredited US laboratory. Some vendors might represent their products as “FIPS authorized” or “FIPS compliant.” But they need to be specifically “FIPS Validated,” and you need to know the exact FIPS Cryptographic Module Validation Program (CMVP) certificate number for each such module your solution uses. This includes modules that are part of operating systems.
“Labeling those services inside of your data flow diagrams and everything else in your submission package [with FIPS CMVP certificate numbers] is now required,” Mike explains. “Understanding that that is going to be a requirement very early on when you’re going through your build saves an enormous amount of time.”
For companies hoping to get FedRAMP authorization for an existing cloud solution, the need to make product architectural changes associated with these kinds of requirements is critical to know and investigate early on. It can even be a key factor in deciding to create a separate product version for US government customers.
What’s next?
For more guidance on this topic, listen to Episode 120 of The Virtual CISO Podcast with guest Mike Craig from Vanaheim Security.