Editor’s note: The following is a sponsored blog post from A-LIGN.
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program in the US that provides a standardized approach to security assessment, authorization, and continuous monitoring of cloud products and services.
Federal government agencies are required to use FedRAMP-authorized products and services to maintain the integrity of cloud security within the government. Services authorized through FedRAMP include things like Adobe, Blackberry, Box, and DocuSign — meaning that federal agencies can freely use these products because they have been deemed secure.
Although it seems like a straightforward program, certain software vendors don’t fall within the scope of FedRAMP and therefore cannot be authorized through the traditional FedRAMP process. This is a problem for federal agencies and software providers alike. Federal agencies aren’t able to access some of the best tools on the market, which limits innovation and productivity, and software vendors cannot scale their businesses within the Federal government.
To solve these issues, out-of-scope organizations must pursue an alternative path to demonstrate federal compliance.
The Challenge for ISVs
Independent Software Vendors (ISVs) are one example of cloud software that cannot become FedRAMP-authorized because FedRAMP doesn’t apply to ISVs in the traditional sense.
FedRAMP was designed for Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS) providers. But ISVs do not have a cloud-based “as a service” offering. ISVs build software that runs on third-party platforms such as Oracle, Salesforce, or ServiceNow.
Although there is no traditional path for an ISV to achieve FedRAMP Authority to Operate (ATO), ISVs are still subject to FedRAMP requirements if they fall within the authorization boundary of a cloud service offering (CSO) into which they are incorporated.
And because there is a lack of education and understanding amongst the federal agencies themselves, many expect ISVs to achieve FedRAMP authorization in order to bid for their contract. Unfortunately, existing FedRAMP memos do very little to fix the confusion, as they all focus on what’s in scope, not what’s out of scope.
Because of this, ISVs often miss out on closed bid opportunities or must participate in lengthy meetings and calls to educate agencies, which ultimately strains resources, extends the buying cycle, and creates friction in the sales process.
An Alternative Solution to Demonstrate Federal Compliance
In place of official FedRAMP authorization, ISVs should team up with a FedRAMP 3PAO (third-party assessment organization) to assess how the company’s processes and controls stack up against applicable FedRAMP requirements.
The first step is to evaluate the list of FedRAMP requirements (which the 3PAO will be well-versed in) and determine which controls apply to the specific ISV and which do not. For example, an ISV may be able to meet FedRAMP security controls and background investigation requirements for people working on the product, but wouldn’t be able to influence or control any FedRAMP controls related to infrastructure — because there is no infrastructure to speak of.
Once the list of applicable controls is complete, the 3PAO can assess the ISV’s processes and review evidence with the same rigor they use to assess organizations pursuing traditional FedRAMP authorization. From there, the 3PAO can attest to the security control implementation of the ISV’s offering.
At A-LIGN, we’ve formalized this process for ISVs by generating a “FedRAMP ISV Report” — a document that outlines how the ISV’s processes and controls stack up against applicable FedRAMP requirements. The report details our assessment findings and can document any remediations an ISV pursued related to any determined control gaps.
ISVs then use this report to validate their position as it relates to cloud security and provide assurance to federal agencies. In our experience, possessing a “FedRAMP ISV Report” has helped our ISV clients increase their pipeline of federal agency prospects and overcome knowledge gaps they previously faced when speaking with federal agencies.
The Future of Federal Compliance
Although there is no officially accepted substitute for FedRAMP authorization, providing out-of-scope organizations with an alternative means to demonstrate compliance is essential to promote innovation within the Federal government — and help software companies scale their business. As technology continues to evolve, and the market of cloud software, products, and services grows, the Federal government needs to review and update security standards to ensure no essential resource is off limits — and the security of all resources can be properly evaluated.