Understanding FedRAMP: Cloud Service Provider’s Top 4 Questions Answered

By: Gene Geiger, Partner of A-LIGN Security and Compliance Services

As an information security and audit firm focused on the compliance needs of service providers, A-LIGN’s accreditation as a FedRAMP third party assessment organization (“3PAO”) is a natural fit with our existing service offerings. Since becoming a FedRAMP 3PAO, we have noticed a trend in client calls stating their customers are inquiring about FedRAMP or that FedRAMP is being discussed during the sales cycle with prospective customers. With that being said, I thought it would be beneficial to outline the most common FedRAMP questions we have received with detailed responses.

Q1: What is FedRAMP and does it apply to me?

As explained by FedRAMP on their website, “The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework that saves money, time, and staff required to conduct redundant agency security assessments.”

Federal agencies that host their technology in the Cloud are required to use a FedRAMP certified Cloud Service Provider (“CSP”). Although FedRAMP is designed specifically for Federal agencies, we are finding that many State governments are also inquiring about FedRAMP when working with our CSP clients.

If you are hosting Federal systems or if this is a primary focus of your growth strategy then FedRAMP applies to your environment.

Q2: Why was FedRAMP developed?

FedRAMP defines the program goals and benefits on their website as:



  • Accelerate the adoption of secure cloud solutions through reuse of assessments and authorizations
  • Increase confidence in security of cloud solutions
  • Achieve consistent security authorizations using a baseline set of agreed upon standards to be used for Cloud product approval in or outside of FedRAMP
  • Ensure consistent application of existing security practices
  • Increase confidence in security assessments
  • Increase automation and near real-time data for continuous monitoring
  • Increases re-use of existing security assessments across agencies
  • Saves significant cost, time and resources – “do once, use many times”
  • Improves real-time security visibility
  • Provides a uniform approach to risk-based management
  • Enhances transparency between government and cloud service providers (CSPs)
  • Improves the trustworthiness, reliability, consistency, and quality of the Federal security authorization process

You will notice that “increased security” and “reduced cost” are the primary drivers behind each point in the FedRAMP table.

As Federal agencies adopt the Cloud computing model they reap the same benefits as the private sector and are also exposed to the same risks when outsourcing the information technology function. FedRAMP addresses these goals by establishing a standard set of security controls that allow Federal agencies to take advantage of the Cloud.

Q3: How do I become FedRAMP certified?

FedRAMP has broken the initial certification process in to the following steps. Each step contains a hyperlink to FedRAMP’s website which will provide further detail.



Initiating a Request.
  • Agencies and CSPs can both apply to FedRAMP to initiate an assessment of a cloud service provider
Documenting Security Controls.
  • Once the CSP has implemented the required security controls, the next process is to document the security control implementations in a System Security Plan (SSP).
Performing Security Testing.
  • Once the SSP has been approved, the CSP contracts with an accredited FedRAMP Third Party Assessment Organization for them to independently test the CSP’s system to determine the effectiveness of the security control implementation.
Finalizing the Security Assessment.
  • JAB reviews the security assessment package and makes final risk-based decision on whether or not to grant a Provisional Authorization.

The steps provided above are where we spend the majority of our time discussing FedRAMP with our clients. Unlike other compliance audits you may have experienced, FedRAMP has several components that will impact the level of effort and time requirements for the project. The “documenting security controls” and “performing security testing phases” will be new to you if you are not currently compliant with the Federal Information Security Management Act (“FISMA”) and/or familiar with NIST Special Publication 800-53.

The documenting security controls phase includes completing the templates provided by FedRAMP. The System Security Plan template alone is over 300 pages. If all controls are already in place, this will be a significant documentation exercise, however, if the controls are not in place or the security processes have not been implemented, the controls should be implemented prior to completing the documentation. Many companies are electing to obtain outside assistance with the documentation phase do to the level of effort required.

The security testing phase is performed by a FedRAMP 3PAO, like A-LIGN, following the prescribed testing procedures provided by FedRAMP. To ensure a consistent level of information security controls and auditing, the testing procedures are very prescriptive and comprehensive.

Q4: How do I get started?

There are several routes you can take to FedRAMP certification, but they all depend on your current level of compliance with NIST 800-53. For organizations that are familiar with the controls and are possibly FISMA certified, you may choose to jump right in to the FedRAMP process. However, if you are not familiar with FISMA or FedRAMP and have never written a system security plan we recommend that you evaluate your current controls and processes against the FedRAMP requirements and create a project plan to prepare you for the FedRAMP certification process. Also, you may elect to perform a FedRAMP readiness assessment, or mock audit, to determine your level of readiness for the 3PAO assessment.

Whatever your path or level of readiness we recommend that you research and ask questions to understand the impact of FedRAMP on your business and the level of effort required to reach your goal.

For questions on FedRAMP please contact Gene Geiger at 888-757-7450 or gene.geiger@a-lign.com.