FedRAMP - Hyperbolic Cloud

tags: #publish links: [[Software and Tech]] created: 2021-07-24 Sat --- # FedRAMP **Federal Risk and Authorization Management Program** See also [[StateRAMP]], because one version of compliance is never enough! A very heavyweight and onerous US Gov standards/compliance program to promote adoption of cloud across US Government. FedRAMP is a great example of [[Competitive Compliance]] - it's very expensive to attain, so it locks out smaller vendors, or severely restricts what they can achieve. ## Terminology **ATO** = Authority To Operate ## Levels Tailored Moderate High ## Related standards [[NIST 800-53]] (and subset [[NIST 800-171]]) is required to obtain the FedRAMP Moderate ATO. Some [[FIPS]] standards are required e.g. for crypto. ## Why's it hard? - **High** forces changes in team structure, who has access - e.g. may require a US-located team of US citizens - **Moderate** and **High** force changes to development process - Isolation of environments, maybe supporting infrastructure - May force you to change versions of crypto libs for FIPS compliance - Restrictions on which base system software you can use ## Evolution 2021: - Presumption of adequacy: once a provider is certified, don't force recertification for every new federal agency that uses them (I know I know, can't believe this wasn't already the case. It's like the agencies don't trust each other or something.) - API for [[OSCAL]] automated "security authorization package" info, to facilitate machine-readable review and assessment (this sort of requires reworking your entire deployment and compliance infrastructure to use it, though) https://governmentciomedia.com/federal-tech-leaders-outline-future-fedramp 2023: - Analysis of proposal, still in draft/comment phase: https://www.schellman.com/blog/federal-compliance/the-2023-omb-draft-memorandum-on-fedramp-explained - Discourage dual parallel deployment of FedRAMP/Commercial - Not very realistic? FedRAMP is too heavy for most Commercial envs - Advance notice, instead of approval, for security-impacting changes - Reduce barrier for entry / sponsor requirements ## Boundary https://www.fedramp.gov/assets/resources/documents/CSP_A_FedRAMP_Authorization_Boundary_Guidance.pdf