Selling government cloud services: FedRAMP vs. FISMA

Even if a cloud provider isn't planning to sell government cloud services, it's still important to have a basic understanding of FedRAMP and FISMA.

As an accredited third-party assessment organization for FedRAMP -- the U.S. government's risk management program for cloud procurement -- we get many questions from federal agencies and cloud providers about the difference between FedRAMP and FISMA, a federal law that defines the framework for protecting government data overall. The answer lies in the differences between the controls tested and their authorization processes.

Even if a cloud provider isn't planning to compete in the public sector with government cloud services, it's still important to have at least a basic understanding of both programs. Here's why: The federal government is the largest single producer, collector, consumer and disseminator of information in the United States, so any changes in regulatory requirements that affect the agencies have the potential to significantly affect the commercial sector as well.

Same standards, additional controls

The Federal Information Security Management Act (FISMA) of 2002 mandates a process to strengthen the security posture of government information systems, and compliance is required by law for federal agencies.

Rob BarnesRob Barnes,
Coalfire Federal

When most agencies and their vendors discuss being "FISMA-compliant," what they are usually referring to is meeting the controls identified in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Rev. 3, Recommended Security Controls for Federal Information Systems. This happens because the law is enforced through various processes described in the Office of Management and Budget (OMB) Circular A-130, which establish definitions, processes and requirements for federal agencies to follow. Through Circular A-130, FISMA recommends agencies follow guidance that NIST has issued for selecting an implementation of security controls based on the system impact level. These include Federal Information Processing Standards (FIPS) 199, which explains how to categorize and secure systems according to "impact levels," as well as the aforementioned NIST SP 800-53 Rev. 3.

The control selection, implementation and testing are areas where many IT professionals responsible for FISMA compliance encounter difficulties, especially when meeting compliance is essential for government agencies to receive an Authority to Operate (ATO), a formal declaration allowing agencies to use a new system.

Tom McAndrewTom McAndrew,
Coalfire Federal

Congress unanimously passed the Federal Information Security Amendments Act of 2013 in April and as of August 2013, it was with the Senate. The proposed legislation updates the FISMA law from 2002. While its core remains a process to strengthen the security posture of government information systems, it provides more requirements on the continuous monitoring of government systems -- instead of the current check-the-box approach -- and requires each department to have a chief information security officer to develop and oversee agency-wide IT security programs.

Meanwhile, the Federal Risk and Authorization Management Program (FedRAMP) is an authorization program that requires cloud providers to receive an independent security assessment, conducted by a third-party assessment organization (3PAO), to sell government cloud services to a federal agency. A positive assessment rewards the provider with a Provisional Authority to Operate (P-ATO) that government agencies may consider.

FedRAMP grew out of the federal government's "Cloud First" policy -- issued in 2011 by former U.S. CIO Vivek Kundra -- and a memo from his successor, Steven VanRoekel, later that year. Cloud First dictates that federal agencies give preference to cloud-based technologies over their on-premises counterparts -- all other factors being equal. The follow-up memo, Security Authorization of Information Systems in Cloud Computing, requires federal agencies to use only FedRAMP-authorized cloud services.

Like FISMA, FedRAMP assessments follow guidance established in NIST SP 800-53A Rev. 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations. In addition, the General Services Administration -- the independent federal agency that oversees FedRAMP -- has developed and published additional security control requirements for implementation and testing.

Table 1: The following table compares the number of security controls assessed at each impact level across NIST's 18 families of security controls:

Impact system level

FISMA assessment

FedRAMP assessment










*Currently, FedRAMP authorizations are for low- and moderate- impact level systems.

Source: Chart compiled from NIST SP 800-53A Rev. 3, Recommended Security Controls for Federal Information Systems and Organizations.

NIST finalized the next version of these guidelines -- NIST SP 800-53 Rev. 4 -- in late April. We have compiled a summary table (See Table 2) showing the changes in the number of security controls assessed at each impact level in 800-53A Rev. 3 versus Rev. 4, as well as the corresponding number of controls assessed for FedRAMP.

Table 2: Comparison of control assessed by NIST SP 800-53 Rev. 3, NIST 800-53 Rev. 4 and FedRAMP.

Comparison of control assessed by NIST SP 800-53 Rev. 3, NIST 800-53 Rev. 4 and FedRAMP.

In addition, as you review the assessment procedures, you will note that all procedures are identified as examine, test and interview. On average, a FedRAMP assessment of a moderate-impact system may require the assessor to

  • Examine documentation to meet 1,396 requirements
  • Interview personnel to meet 273 requirements
  • Test select controls to meet 188 requirements

Similar goals, different authorization processes

Receiving an ATO from a senior agency official is the goal of either assessment, as it allows agencies and vendors to contract for services. The result of a FISMA assessment is an ATO from one authorizing agency to the vendor -- a one-to-one process. In FedRAMP, any agency can use a government cloud service provider that receives a P-ATO -- a one-to-many process that supports the "do once, use many" framework stated in the Cloud First policy. Once the P-ATO is issued, senior agency officials are able to issue an ATO as they enter into a contract for services.

  • FISMA authorization process: Under FISMA guidelines, an individual agency's senior officials may authorize an information system and accept the risks to the agency based on the security control implementation. Agencies may require vendors to meet requirements unique to the agency, and what is required for one agency may not meet another agency's needs. As a result, vendors tend to carry multiple ATOs based on various agencies' individual standards and requirements. In an effort to maintain each ATO, a vendor must be re-assessed at least every three years. If a vendor wants to secure many ATOs from multiple agencies, it must have the budget and resources for the many assessments required to maintain them.
  • FedRAMP provisional authorization process: The FedRAMP process is intentionally more rigorous, as it is intended to be a one-stop-shop for agencies to procure services from authorized cloud providers that meet FedRAMP requirements.

The Joint Authorization Board (JAB) -- made up of officials from the GSA, the Department of Homeland Security and the Department of Defense -- will provide a P-ATO to a cloud provider if a 3PAO's independent assessment determines the provider can successfully demonstrate that its cloud services environment meets the more stringent set of baseline controls in FedRAMP for low and moderate impact systems and provides the additional enhancements to many controls that focus specifically on cloud systems. The 3PAOs must assess and document the results of the environment and submit the results to the JAB for review. Once the board has reviewed and accepted the assessment, it issues the P-ATO.

After a government cloud provider receives a P-ATO, any federal agency may procure services from that cloud service provider. To receive an ATO, the cloud provider will likely have to agree to a contract that includes additional, agency-specific requirements. Additionally, once a P-ATO is issued, the cloud provider must meet the stringent requirements of the FedRAMP continuous monitoring program. These requirements are detailed in the GSA's FedRAMP Continuous Monitoring and Strategy Guide.

About the authors:
Rob Barnes is a director at Coalfire Federal, where he serves as the national practice leader for federal assessments. He is responsible for planning and conducting assessments at Coalfire, as well as providing strategic guidance to commercial and government organizations.

Tom McAndrew is an executive vice president at Coalfire Federal, an accredited FedRAMP 3PAO and subsidiary of Coalfire Systems Inc., based in Washington, D.C. He is responsible for managing all aspects of Coalfire's federal, defense, intelligence and public sector operations. Tom is recognized as an industry expert in cloud security and assessment across commercial and federal sectors, particularly within the Department of Defense and intelligence communities.

Coalfire Federal is an accredited FedRAMP 3PAO providing service to organizations pursuing FedRAMP, FISMA and DIACAP authorization and continuous monitoring.

This was last published in August 2013

Dig Deeper on Telecommunication networking