U.S. flag

An official website of the United States government

FedRAMP 20x is building a new cloud-native approach to FedRAMP authorization with industry and entirely in public.

Phase 2 Pilot Authorization Requirements

FedRAMP is still deliberately avoiding specifying exactly how all of the requirements and recommendations must be addressed in Phase 2 so cloud service providers can bring innovative solutions to the pilot - but all requirements and recommendations must be addressed.

The most complicated additions in Phase 2 are the Key Security Indicators in the Authorization by FedRAMP (KSI-AFR) theme. These Key Security Indicators are unique because they each tie to a FedRAMP-specific standard or policy with government-specific requirements. Each of these FedRAMP documents contain requirements (worded with “MUST” in the requirement) and recommendations (worded with “SHOULD” in the recommendation) that apply to cloud service providers or other parties.

Every single one of these requirements and recommendations must be addressed. This means using a combination of explanations and automated output to demonstrate that requirements are met or providing a goal, plan, or other strategy to implement it in the near term. The same applies to recommendations that are implemented while an explanation and justification must be provided if recommendations are not implemented.

In addition, each of these must be reviewed by an assessor to ensure the cloud service provider has documented an accurate implementation or posture for each item and that the documented process is being followed (and audited persistently by the provider).

The FedRAMP Authorization Package

Many participants during Phase 1 were confused when FedRAMP requested access to evidence, artifacts, and related materials for the assessment. 20x authorizations are FedRAMP-based assessments of all the materials in an authorization package, including all evidence and validation, supported by findings by an assessor. Information provided by both cloud service providers and assessors, individually or in combination, must enable agency customers to make timely, risk-based decisions without extensive interpretation or assumptions. The level of detail must be adequate for both risk executives and their technical subject matter experts.

Phase 2 pilot packages should ensure FedRAMP has access to this information by default and participants should be prepared to walk FedRAMP through aspects of the cloud service offering in detail. All FedRAMP staff are restricted by existing government policy from taking any inappropriate action with this information and do not need to be covered by a specific NDA for this review. No company should expect FedRAMP staff to agree to terms and conditions or an NDA to perform the review; if a company is unwilling or unable to share information without an NDA in place then they will be disqualified from participation in the pilot.

Like Phase 1, we are expecting packages to be provided via diverse innovative ways and are not placing explicit requirements beyond those documented in the Authorization Data Standard (KSI-AFR-03) and other Key Security Indicators. Participants merely need to address all requirements and ensure this information is available in both human-readable and machine-readable formats for FedRAMP review.

Completeness Requirements

Submissions during the Phase 2 pilot MUST meet the following requirements:

  • Automated validation must be used to measure some aspects of the provider’s goals for at least 70% of the Key Security Indicators.

  • Every single Key Security Indicator, Requirement, and Recommendation must be addressed in some form.

  • Validation evidence must be embedded or linked directly from both human-readable and machine-readable submission formats and made available (non-redacted) for FedRAMP review.

  • A machine-readable schema must be provided that can be used to validate and interpret the machine-readable format. 

  • Information within human-readable and machine-readable formats should fully reconcile.

  • In specific cases, the FedRAMP Director may grant exceptions for a few specific requirements that are not yet fully implemented at the time of assessment. Any requirements that are not fully implemented must include a plan for implementation within six months of authorization.

  • Where requirements include future activities like incident response, significant change notification, vulnerability detection, or other such regularly or persistently supplied reports, a sample report should be supplied to demonstrate that the cloud service provider is prepared to meet future activity requirements.

FedRAMP will accept partial implementations for a non-critical subset of requirements; the specifics of this will require a case-by-case determination.

Example KSI-AFR Discussion

KSI-AFR-01 (MAS) expects a secure cloud service provider seeking FedRAMP authorization to apply the FedRAMP Minimum Assessment standard and persistently address all related requirements and recommendations.

To address these requirements, a provider must first understand that persistently is defined in FedRAMP Definitions (FRD-ALL-38) as “Occurring in a firm, steady way that is repeated over a long period of time in spite of obstacles or difficulties. Persistent activities may vary between actors, may occur irregularly, and may include interruptions or waiting periods between cycles. These attributes of persistent activities should be intentional, understood, and documented; the status of persistent activities will always be known.”

This adds an additional requirement to any persistent activity: the responsible parties, cycles, actions, etc. must all be documented. One of the first steps in addressing KSI-AFR-01 is to document these activities - including the frequency and duration of each cycle - that are performed by the cloud service provider to monitor the scope of services included in the cloud service offering.

Inside the Minimum Assessment Standard itself, the first requirement is FRR-MAS-01 as follows: “Providers MUST identify a set of information resources to assess for FedRAMP authorization that includes all information resources that are likely to handle federal customer data or likely to impact the confidentiality, integrity, or availability of federal customer data handled by the cloud service offering.”

This requirement is ideally met using automated processes that can generate a complete listing of all relevant information resources from authoritative sources. It should include all information resources (see FRD-ALL-02) in scope, not just machine resources - that means the cloud service provider must track people with different levels of access to federal customer data or ways to impact it and relevant financial streams and budgets. All aspects of the business must be included.

FedRAMP will expect to review the set of information resources identified, but they do not need to be individually defined. How a cloud service provider goes about sharing this is up to them, with everything from the traditional diagram to lists to AI generated videos being on the table, but both the assessor and FedRAMP will expect to see that this information is available. The cloud service provider itself should of course be able to demonstrate that they monitor individual resources within each set as well… and ideally this is all automated and persistently generated as needed so that the cloud service provider can demonstrate they have complete awareness of all information resources at any time.

This single requirement at FRR-MAS-01 is likely one of the most complicated ones to implement and document… and it’s just the first of a few such requirements and recommendations to be addressed for KSI-AFR-01. This example hopefully helps participants consider their approach to meeting all of these Key Security Indicators.

FedRAMP.gov

official website of the GSA’s Technology Transformation Services

Looking for U.S. government information and services?
Visit USA.gov