NIST and FedRAMP – A brief overview

Written by guest author Ken Lynch

NIST background

NIST (the National Institute of Standards and Technology) is a body responsible for creating a series of regulatory documents commonly referred to as SPs (Special Publications). For instance, NIST SP 800 is a regulation that covers computer security, and NIST SP 800-53 Revision 4 is a regulation that sets out data security requirements for all security and data privacy controls and regulations for federal information systems and organizations. These data security and privacy requirements are mandatory for all data and information systems in the US federal government. The NIST 800 series publications also cover a wide range of other aspects, including risk mitigation (NIST SP 800-37 Revision 1) and data security (NIST SP 88-30 Revision 1).

What is the primary aim of FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) is an assessment and authorization process which U.S. federal agencies have been directed by the Office of Management and Budget to ensure security is in place when accessing cloud computing products and services. The main goal of FedRAMP is to ensure that all government corporations benefit from Cloud services without the risk of increasing the duplication of data security function. Typically, CSPs (Cloud service providers) offer Cloud products such as IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and SaaS (Software as a Service) to various government agencies. These systems must conform to all FISMA regulations, and FedRAMP provides the much-needed process of maximizing operational efficiency for autonomous data security monitoring so that the various agencies can benefit from Cloud technology.

Two years ago, FedRAMP developed a new technique that changed how its P-ATO (Provisional Authorizations to Operate) and JAB (Joint Authorizations Board) are executed. Its primary objective was to develop a smoother and up-to-date authorization management program with more predictable timeframes for authorization data package monitoring.

FedRAMP relies on several NIST SPs, including SP 800-37, which work to mitigate various risks, and SP 800-53, which serves as the central information database of all system controls. The streamlined FedRAMP process is designed to focus on the specific regulations managed by the CSP and also those that are managed by different agencies purchasing the Cloud computing services.

For example, a SaaS/PaaS provider will offer similar but shared security protection to all its system users. The SaaS provider enables the use of a single data center, which ensures low risk for all users subscribed to that specific provider. Every governmental agency that contracts Cloud computing services from any Cloud-based platform is responsible for implementing security controls, such as strong passwords, to ensure that the data uploaded to the Cloud is adequately secured.

Consequently, a CSP that wishes to contract its services to the government must determine which security controls are critical to the services being contracted and recruit an independent third-party organization to conduct a comprehensive assessment indicating the impact level. Once the evaluation has been completed on behalf of the federal agency, other agencies are allowed to use the findings of the assessment to reduce their expenses and time.

Summary

NIST provides standards and various regulations for data security, privacy, and risk mitigation for all data systems used by the US federal government. FedRAMP, on the other hand, largely relies on NIST guidelines and specifications to streamline its processes and assist various government agencies to use different Cloud services responsibly and safely.

Although FedRAMP compliance isn’t mandatory for private organizations that don’t work directly with government agencies, Cloud computing can enhance their efficiency, productivity, and consistency. Using specific software platforms can hasten government corporations’ compliance process. Some systems even have pre-loaded NIST SP 800-53 controls and FedRAMP on their platform.

Author bio

Ken Lynch is an enterprise software startup veteran who has always been fascinated by what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that, propelling Reciprocity’s success with this mission-based goal of engaging employees with their company’s governance, risk, and compliance goals in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at reciprocitylabs.com.

Resources

  • NIST Pocket Guide by Alan Calder, a leading author on information security and IT governance, is available to pre-order with a 15% discount.