Acquire FedRAMP authorization

[briri]

We would be considered a "FedRAMP Tailored Low Impact-Software as a Service (Li-SaaS) provider".
Li-SaaS systems because we provide a service (as opposed to infrastructure) and we do not store personal identifiable information (PII) beyond that is generally required for login capability (i.e. username, password, and email address).

It does require some administrative overhead. We would have to engage with a "Third-Party Assessment Organization (3PAO)" to become pre-authorized (3PAOs can be found in the FedRAMP marketplace). I'm not sure what that looks like from a time or dollar amount. There are then several HCVAT like documents that need to be filled out, and we would also need to engage with both the FedRAMP PMO and I suspect having someone at one of the agencies (e.g. DOT, CDC, etc.) helping us out would be helpful.

Things we should consider/do in the new system:

• Document the system architecture
• Define and Document incident response procedures
• Document user account security (who has access to a user's account info)
• Ensure we lock accounts after too many login attempts, allow admins to lock accounts, remove priveleges when a user changes affiliation
• Ensure admins may only access their own users
• Ensure that admins cannot see user passwords nor reset them
• Allow users to delete their account (archive and tokenize)
• We might want to consider letting org admins require 2-factor
• Have an audit log for changes and access to user account data
• Have automated testing in place for security vulnerabilities

Achieving FedRAMP authorization for the system as a Low Impact-Software as a Service (Li-SaaS) provider involves several steps. Here are the key actions and considerations we should address:

• Understand FedRAMP Requirements: Familiarize yourself with the FedRAMP requirements, specifically the controls and documentation needed for a Low impact level.
• Select a 3PAO: Choose a FedRAMP-accredited Third-Party Assessment Organization (3PAO) to conduct an independent security assessment. The 3PAO will evaluate the DMPTool's security controls against the FedRAMP requirements.
• Prepare Documentation: Develop a comprehensive System Security Plan (SSP) that outlines the security controls implemented by the DMPTool. Create a Plan of Action and Milestones (POA&M) detailing any identified vulnerabilities and the plan for addressing them.
• Security Assessment: Engage with the chosen 3PAO to perform a security assessment of the DMPTool. This involves testing the effectiveness of security controls and documenting the results.
• Remediate Findings: Address any vulnerabilities or weaknesses identified during the security assessment. Ensure that the DMPTool meets the specified security controls.
• Continuous Monitoring Plan: Develop a plan for continuous monitoring. FedRAMP requires ongoing monitoring to ensure that security controls remain effective over time. This includes regular assessments and reporting.
• Collaborate with the FedRAMP PMO: Work with the FedRAMP Program Management Office (PMO) to submit the necessary documentation and coordinate the authorization process.
• Authorization Package Submission: Submit the authorization package, including the SSP, POA&M, and assessment results, to the appropriate Authorizing Official (AO) or the FedRAMP JAB, depending on the impact level.
• Agency Review (for FedRAMP Low): If seeking authorization at the Low impact level, the individual agency's Authorizing Official will review and grant the Authority to Operate (ATO) if satisfied with the security posture.
• Maintain Compliance: After receiving authorization, implement a robust continuous monitoring program to ensure ongoing compliance with FedRAMP requirements.

It's crucial to engage with the FedRAMP PMO early in the process to seek guidance and ensure that you're following the correct procedures. Additionally, having a well-documented and secure system, along with collaboration with a FedRAMP-accredited 3PAO, will contribute to a smoother authorization process.

[bofstein]

Should turn FedRAMP authorization into an Epic and have those steps as tickets
Not urgent for initial set up, will want it for own the line for government partnerships

[marisastrong]

This AWS solution might be interesting to explore - at least understand what this compliance framework covers and see if we are doing similar things already and what we might consider adding to our framework/architecture. The solution noted here supports FedRAMP.

https://aws.amazon.com/solutions/implementations/landing-zone-accelerator-on-aws/

The Landing Zone Accelerator on AWS solution deploys a foundational set of capabilities that is designed to align with AWS best practices and multiple global compliance frameworks. With this AWS Solution, you can better manage and govern your multi-account environment that have highly-regulated workloads and complex compliance requirements. When used in coordination with other AWS services, it provides a comprehensive, low-code solution across more than 35 AWS services.

I found this on the Educase Cloud Computing Connect group as they are offering discussions about this framework with other universities and establishing communities of practice. You can access Educause by logging in as UCOP institution.

https://connect.educause.edu/discussion/reminder-internet2-net-and-aws-partner-to-create-a-landing-zone-accelerator-community-of-practice