March 20, 2019

FedRAMP Compliance Requirements for Business (macOS)

The Federal Risk and Authorization Management Program, or FedRAMP, is a government program designed to provide, as they put it in their FedRAMP Security Assessment Framework document, “a standardized approach to security assessment, authorization, and continuous monitoring for cloud-based services.”

While FedRAMP is meant for cloud service providers (CSPs) and government agencies, other organizations can still benefit from maintaining FedRAMP compliance—especially if they plan to work with a government agency at some point.

What is FedRAMP compliance? What are some major FedRAMP compliance requirements? More importantly, how can your organization achieve FedRAMP compliance for macOS devices?

Some Basic FedRAMP Compliance Information

In the text of the FedRAMP Security Assessment Framework (SAF) document, there are 14 different applicable laws and regulations as well as 19 different standards and guidance documents connected to FedRAMP (as of Version 2.4 of FedRAMP’s SAF).

Some of the key laws/regulations related to FedRAMP include:

  • The Federal Information Security Management Act (FISMA). Much of FedRAMP’s SAF is concerned with standardizing how FISMA “applies to cloud computing services.” As such, FISMA forms much of the basis for FedRAMP compliance.

  • E-Authentication Guidance for Federal Agencies. The Office of Management and Budget (OMB) published the E-Authentication Guidance for Federal Agencies in 2003. This document “establishes and describes four levels of identity assurance for electronic transactions requiring authentication.” These “assurance levels” transition from Level 1 (little to no assurance) to Level 4 (very high confidence in identity).

  • OMB Circular A-130. OMB Circular A-130 is a memo for the management of “Federal Information Resources” detailing the responsibilities federal agencies have when maintaining records about individuals, the implementation of the Government Paperwork Elimination Act, and the security of federal automated information resources.

These regulations all helped to inform the creation of FedRAMP’s security assessment framework in one way or another. So, they can be considered key to understanding FedRAMP security requirements.

There are two paths to achieving FedRAMP authorization:

  1. Joint Authorization Board (JAB) Provisional Authority to Operate (P-ATO)
  2. FedRAMP Agency Authority to Operate (ATO)

The first option involves submitting an initiate request to the FedRAMP.gov website. The JAB “will provide the risk review of all documentation provided by the CSP in the security authorization package” to determine if the cloud service provider meets FedRAMP compliance requirements.

The second option is for CSPs that are working directly with a federal agency. Here, “the Federal Agency will provide the risk review of all documentation provided by the CSP.” Both approaches require filing a security assessment package, but have different groups reviewing them.

Achieving FedRAMP Compliance: The FedRAMP Risk Management Framework

FedRAMP’s risk management framework consists of four distinct phases, each of which is subdivided into specific steps:

  1. Document Phase. The document phase covers the first three steps of the framework, which are:
    • Categorize the Information System. A determination of the types of information the CSP will hold/process in their systems.
    • Select Security Controls. Security controls should be selected based on the types of information identified in the previous step.
    • Implement Security Controls. After setting the security control baseline, the CSP implements security controls appropriate to reach that security benchmark.

  2. Assess Phase. The assess phase has three more steps, though the assessor used will vary depending on whether the CSP is filing for a JAB P-ATO or a FedRAMP Agency ATO. JAB P-ATO applicants “must use a 3PAO [third party assessment organization] to perform the testing phase of the process.” Agency ATO applicants also need 3PAO testing, but “they are not required to use a FedRAMP accredited 3PAO.” The three steps of this phase are:
    • Complete the Security Assessment Plan (SAP). Here, the 3PAO or non-accredited independent assessor (IA) creates a testing plan based on the FedRAMP compliance template.
    • Use Test Case Procedures. When assessing a company’s security, 3PAOs and IAs must use FedRAMP’s baseline security test cases.
    • Perform the Security Testing. The assessor follows the procedures outlined in the security assessment plan.

  3. Authorize Phase. After the testing of the Assess Phase, the authorizing officials (AOs) make an authorization decision. This involves:
    • Analysis of Risks. The results of the security control assessment are presented in a security assessment report (SAR) which is analyzed by the AO.
    • Plan of Action and Milestones (POA&M). The company being assessed creates a plan of action with milestones meant to address any specific vulnerabilities revealed in the SAR document.
    • Submission of Security Package for Authorization. The company being assessed assembles a package of documents for review, including the SAR, POA&M, and any test plans and results.
    • Authorization Letter. The AO formalizes their decision to authorize a company’ production environment as being sufficiently FedRAMP compliant in an ATO letter.

  4. Monitor Phase. Achieving approval from an AO isn’t the end of a FedRAMP compliance process. Ongoing assessment and authorization is needed to maintain compliance with FedRAMP. There are several key elements in this phase, including:
    • Operational Visibility. The company has to provide two types of information: periodically-submitted “control artifacts” and annual reassessments. This information helps assessors verify the status of the company’s compliance with FedRAMP security requirements.
    • Change Control. As cyber threats evolve, so too must the security controls that organizations use. FedRAMP’s framework allows for “periodic changes to the system” but it is necessary to “notify the AO of any impending change to the system that falls outside of the CSP’s Configuration Management Plan.”
    • Incident Response. All companies working to maintain FedRAMP compliance need to have an incident response plan (IRP) in place to manage their response to security incidents—and that IRP has to be documented.

That is a lot of steps, but there are ways to achieve compliance with FedRAMP for macOS and other operating systems on cloud infrastructures. What’s important is that companies have a well-documented set of procedures, policies, and tools for keeping their cloud infrastructure secure from attacks.

Taking a risk-based approach to selecting security configurations for your IT assets that shores up your biggest vulnerabilities with minimal effort and expense is the first step.

Want to know more about how you can achieve compliance for macOS?

Subscribe to the Kandji Blog

kandji badge

Secure Your macOS
Fleet Today

Sign up quickly and easily using your Gmail or Microsoft Office 365 business account or a verifiable business email address.


Or