This week, FedRAMP published a weekly tip that addresses applying for an Agency High Baseline Authorization and an RAR Federal Mandate that is often overlooked:
Q: What are some frequently asked questions for CSPs who currently hold an Agency Authorization to Operate (ATO) at the Moderate level, but wish to apply for an Agency High Baseline Authorization?
For some CSPs, the ATO transition between a Moderate baseline and a High baseline is simple because the system in question was originally architected at the High baseline level but the CSP opted for the FedRAMP Moderate because that is all FedRAMP offered at the time.
For other CSPs who wish to transition to the high baseline, FedRAMP recommends that the CSP and the attesting 3PAO download a copy of the FedRAMP High Readiness Assessment Report (RAR) Template from the FedRAMP website and read through the contents of the RAR to understand the depth of scrutiny required for a High Baseline system.
Here are some frequently asked questions regarding this transition:
- Is the the ATO transition between a Moderate baseline and a High baseline merely an amendment to the Moderate ATO? Or will this process involve a new ATO?
Answer: The High Baseline (HBL) Authorization is a new Authorization at the High Baseline level. This requires that the CSP engage with a partnering Agency (either existing or new) and a FedRAMP-accredited 3PAO or other independent assessor to maneuver through the HBL Authorization process; i.e.,capturing HBL requirements in the SSP and attachments, undergoing testing of the HBL controls, at a minimum, and re-authorization of the Service at the HBL level. This assumes that the cloud service’s moderate-level testing is current and compliant with FedRAMP guidelines.
- Is there a FedRAMP-approved document that speaks to the “net-new” controls between the Moderate baseline and the HBL?
Answer: No. Based on the extent of the control and parameter changes, the CSP must review the requirements as enumerated in the High Baseline (HBL) SSP template, and the HBL RAR template to ensure that the CSP organizational architecture will support the HBL requirements. Further, the review will ensure that the cloud service architecture can meet the HBL requirements.
- Are there any significant new requirements for New Systems?
Answer: Yes. There are changes incorporated in the current FedRAMP HBL set of controls posted on the FedRAMP website, based on the FedRAMP PMO and Joint Authorization Board (JAB) collaboration. Some of the changes were additional controls; other changes were more stringent parameters and Additional Guidance. Please see the requirements in the HBL SSP template, and the HBL Readiness Assessment Report template. Some examples of changes in the HBL requirements include:
a) More emphasis is placed on the use of automation for control implementations b) All CSO services must be included in the authorization boundary c) The eAuth requirement is “Level 4” (includes in-person identity proofing) versus the Moderate “Level 3 or higher” d) There are added controls that are particularly challenging, either in terms of resources or technical complexity, based upon the cloud service architecture, i.e., SC-3 Security Function Isolation
Q: One of the Moderate and High RAR Federal Mandates that is overlooked is (5.) Does the CSP and system meet Federal Records Management Requirements, including the ability to support record holds, National Archives and Records Administration (NARA) requirements, and Freedom of Information Act (FOIA) requirements? What does this really mean to a CSP?
A: Since the FedRAMP mandate is a requirement that must be met, it is important that the CSP understands the Federal Records Retention Requirements to achieve compliance. Since CSPs store, transmit, and process Government data, a CSP must be aware that there are retention schedules provided by NARA that govern the disposition of these federal records. From the agency perspective, the agency program officials are required to coordinate with agency records officers and with NARA to identify appropriate retention periods and disposal methods. Since CSPs and the CSOs are now mostly the de facto cloud-based keepers of the federal records, CSPs must understand the NARA and FOIA requirements for the federal data and information that is traversing and being held in the CSP system. The requirements should be fully outlined in the contract award information but it is incumbent upon the CSP contractors to understand Federal Records Management Requirements. The basic requirements for Federal Records Management can be found at:
Regarding FOIA, “Since 1967, the Freedom of Information Act (FOIA) has provided the public the right to request access to records from any federal agency. It is often described as the law that keeps citizens in the know about their government. Federal agencies are required to disclose any information requested under the FOIA unless it falls under one of nine exemptions which protect interests such as personal privacy, national security, and law enforcement.”
Currently, additional information for the FOIA can be found here:
The FOIA applies to all federal agencies, which means it does not apply to:
- The Judicial Branch and Federal Courts
- The Legislative Branch and Congress
- State Governments and Courts
Read more about this week’s FedRAMP’s Tip and cues here.