Whenever a government agency, contractor, or subcontractor wants to work with a cloud service provider, they have to find one that upholds the level of cybersecurity, physical security, and authentication that the government sets as standard.

Usually, agencies have two options to do this. They can work with a cloud service provider that is FedRAMP authorized, or they can work with one that is FedRAMP Equivalent.

The difference between these two used to mean that Equivalent saw a lot of use. However, a recent memo from the Department of Defense clarified rulings, issued guidance for FedRAMP Equivalent security, and removed a loophole that allowed those government agencies and contractors to shirk their responsibilities via the Equivalency system. This has widespread knock-on effects throughout the network of contractors and has made many more agencies, contractors, and subcontractors turn to another government resource: the FedRAMP Marketplace.

What is the FedRAMP Marketplace?

The FedRAMP marketplace is just what it sounds like: a directory of FedRAMP-designated cloud service providers. However, it’s also more than just that. In their own words:

“The FedRAMP Marketplace is a searchable and sortable database of CSOs that have achieved a FedRAMP designation, a list of federal agencies using FedRAMP Authorized CSOs, and FedRAMP recognized assessors/auditors (3PAOs) that can perform a FedRAMP assessment.”

So, it isn’t just cloud service offerings, but 3PAOs and even federal agencies listed in the marketplace.

The overall purpose of the marketplace is to facilitate these entities finding one another. It eliminates the need for, say, 3PAOs to use SEO to show up in web searches from cloud service providers who need authentication, to use one example.

As of the time of this writing, there are 337 total FedRAMP-authorized services across the four possible impact levels. Including the other designations, there are 475 total services, as well as 230 agencies and 42 assessment organizations. This number changes over time as some cloud service providers lose their authorization and others gain it. For example, just a few weeks ago, we wrote a more detailed guide about one of the designations, and at the time, there were 474 cloud products, 234 agencies, and 42 assessors listed in the marketplace.

What Are FedRAMP Marketplace Designations?

When you browse through the list of cloud service providers, you’ll see several columns of information.

• Provider: This is the name and brand of the cloud service provider themselves.
• Service Offering: This is the particular service that is authorized; some large brands, like Adobe, Microsoft, and Google, all have multiple listings for different services.
• Service Model: This identifies whether the service is Infrastructure as a Service, Platform as a Service, or Software as a Service.
• Impact Level: There are four impact levels. The lowest, LI-SaaS, is for services with very little data or access to government or sensitive information. Low, Moderate, and High impact are all subsequently escalating in terms of how much and how sensitive or important the information they handle is. You can read more about this in our guide, The FedRAMP Impact Levels Explained.
• Status: This is the FedRAMP designation for the service provider, and what the bulk of the rest of this article will be about.
• Authorizations: This is the number of government agencies and contractors that have worked with the service provider for Authority to Operate.
• Reuse: This is the number of times the service offering’s security documentation package has been reused for additional authorizations.

You can use this information to learn about the products in the marketplace. For example, the single most-authorized cloud service is Microsoft’s Office 365, with 95 authorizations and 273 reuses. The most reused authorization is Amazon’s GovCloud wing of Amazon Web Services, with a whopping 858 reuses.

Note: What does it mean if a FedRAMP-designated cloud service offering on the marketplace has zero authorizations and zero reuses? It means that the service is currently undergoing some form of the authorization process but has not received a full Authority to Operate from a government agency or a Provisional Authority to Operate from the JAB. More on that when we talk about designations momentarily.

Earning and maintaining a listing on the FedRAMP Marketplace is critical for successfully working with many different government agencies. But, it can be important both as a service provider or as a government agency to understand what the three different Marketplace Designations are and what they mean. So, let’s discuss them.

FedRAMP Marketplace Designation 1: FedRAMP Ready

The first of the three designations a cloud service provider can have on the FedRAMP Marketplace is FedRAMP Ready.

FedRAMP Ready is a designation that indicates the cloud service provider has done the work to achieve a certain level of security, according to their impact level. A certified third-party assessment organization has worked with the cloud service provider, audited their security posture, and attested to the fact that they have the posture they claim to have. The cloud service provider has also submitted a RAR, or Readiness Assessment Report, which has been reviewed and accepted by the FedRAMP Program Management Office.

However, you may notice, if you browse through the FedRAMP Marketplace, that none of the service providers with FedRAMP Ready designation have authorizations.

This is because FedRAMP Ready is a designation stating that your cloud service provider is ready to pursue an authorization but does not currently have an authorization. For many, but not all, cloud service providers in the FedRAMP Ready designation, the authorization they’re seeking is the intensive, time-consuming, and deeply-reviewed Provisional Authority to Operate from the Joint Assessment Board. This is because a P-ATO requires seeking FedRAMP Ready status as part of the authorization process.

FedRAMP recommends that any cloud service provider pursuing a regular agency Authority to Operate also seek FedRAMP Ready status if possible, but it’s not required for individual agency ATOs. It’s just often a good idea because if you can obtain FedRAMP Ready status, it’s only a short jump to achieving full authorization.

One critical detail is that FedRAMP Ready is only available to cloud service providers at a FedRAMP Moderate or High impact level. Low-impact and LI-SaaS cloud services cannot achieve FedRAMP Ready status.

Once the PMO reviews the RAR and approves the CSP to be FedRAMP Ready, that readiness is valid for a total of one calendar year, beginning on the date of that approval. To maintain readiness, the CSP can continue to work with a 3PAO to review and submit another RAR for another year of Ready designation.

FedRAMP Ready is a fallback status. If a cloud service provider achieves FedRAMP In-Process or FedRAMP Authorized, their designation on the marketplace will be updated. If they subsequently lose that designation, and are still within the one year period, they will be dropped back to FedRAMP Ready. If the year has expired, they will need to seek readiness again in the same way it was handled before.

FedRAMP Marketplace Designation 2: FedRAMP In-Process

When a cloud service provider achieves FedRAMP Ready status, it means they can continue to work with the JAB to pursue a Provisional Authority to Operate, or they can work with an agency to achieve an agency Authority to Operate.

In both cases, if the CSP is undergoing the process of achieving the P-ATO or ATO, they will be listed as FedRAMP In Process. As of this writing, there are 109 CSPs in the In Process designation.

In order for a cloud service provider to be listed as In Process on the Marketplace, they have to meet specific requirements. If they are prioritized by the JAB to receive a P-ATO:

• They must achieve FedRAMP Ready within 60 days of receiving prioritization from the JAB.
• They must finalize their System Security Plan.
• They must engage with a 3PAO to develop a Security Assessment Plan, conduct a full security assessment according to that plan, and produce a validated Security Assessment Report.
• They must upload all of their relevant documentation to the MAX.gov document repository (or, if authorized at the High baseline impact level, to their own private repository.)
• They must participate in a formal kickoff meeting with the JAB, the relevant PMO, and their 3PAO.

The process is similar but less stringent if they are seeking an Agency ATO:

• They must obtain written confirmation of the agency’s intent to authorize the CSP.
• They must submit a Work Breakdown Structure to the PMO.
• They must confirm their system is fully operational as defined by the PMO.
• They must fulfill one of four additional requirements.
  • Provide proof of a contract award for the use of the CSP.
  • Demonstrate the use of the service offering to the PMO from the agency and CSP.
  • Have FedRAMP Ready status.
  • Undergo the P-ATO process and Kickoff meeting.

As you can see, if you’re working with the JAB, you need to achieve FedRAMP Ready, and if you are working with an agency, achieving FedRAMP Ready is one option to receive authorization.

Note that if you want a more detailed rundown of the FedRAMP In-Process designation and what it means, we wrote a complete guide to it here. If you have further questions, feel free to reach out and ask; as one of the Marketplace-listed 3PAOs, we’re qualified to answer them for you and work with you to achieve this status if you wish to pursue it. You can also read more about specific documentation and processes, like the formal letters, the work breakdown structure, or the kickoff meeting directly from the FedRAMP site.

FedRAMP Marketplace Designation 3: FedRAMP Authorized

The third and final designation on the FedRAMP Marketplace is FedRAMP Authorized.

As you might expect, this is the designation achieved by any cloud service provider that has either a JAB Provisional Authority to Operate or an Agency Authority to Operate. This designation means two things. The first is that the cloud service provider is able to work with the agency or agencies that authorize them (and, in the case of a P-ATO, any agency). The second is that their security documentation is uploaded and available if another agency wishes to copy the work and issue their own authorization.

This is what the “reuse” entry on the table of data for any given cloud service provider is: the number of times that data package has been reused by another agency to replicate the authorization process without having to go through the whole thing from scratch. Essentially, the government recognizes that the full authorization process is time-consuming and difficult and that, once passed, it is unlikely to change significantly between agencies. Therefore, an agency that wishes to use the same authorized CSP as another agency can take the same security package and reuse most of it, with some relevant changes for differences between the agencies and their usage of the service. You can read more about reuse in the FedRAMP Reusing Authorizations for Cloud Products Quick Guide.

Losing a Designation

Is it possible to lose designation on the FedRAMP Marketplace? Yes.

A service provider can lose FedRAMP Authorized if they no longer have any ATOs on file, if their continuous monitoring determines that their security posture is no longer sufficient, or if a JAB-authorized CSP does not demonstrate sufficient demand from the government. If they lose Authorized status and are still within a calendar year of their Ready designation, they fall back to Ready; otherwise, they are removed from the Marketplace.

A service provider can lose FedRAMP In Process if the timeline for the process is exceeded, if they break ties and are no longer working with an agency or the JAB for authority to operate, or if they’ve been deprioritized by the JAB. They fall back to FedRAMP Ready if it’s within a year of them receiving the Ready designation.

A service provider can lose FedRAMP Ready if they fail to submit a new RAR within a year of their previous RAR. Technically, if they are prioritized or authorized they also “lose” Ready status, but they are still considered Ready in the background.

Helping Your Cloud Service Achieve FedRAMP Marketplace Listing

If you’re a cloud service provider and you’re seeking to work with an agency partner to achieve any of the FedRAMP designations, we’re available to help. As one of the authorized and listed 3PAOs, we can work with you to achieve any designation you need.

Additionally, the Ignyte Platform was designed from the ground up to help maintain cohesive and accurate documentation for all of the important security postures and templates you need to keep on file. Book a demo today to see what it can do for you!

*** This is a Security Bloggers Network syndicated blog from Ignyte authored by Max Aulakh. Read the original post at: https://www.ignyteplatform.com/blog/fedramp/guide-fedramp-marketplace-designations/