GovRAMP Compliance

GovRAMP is a security framework designed to standardize, strengthen, and streamline cloud security for government entities at the state and local level. Drawing heavily from the success and structure of FedRAMP, the Federal Risk and Authorization Management Program, GovRAMP provides a unified approach to assessing and managing cybersecurity risk for cloud service providers (CSPs) serving state and local governments. SafeLogic is a GovRAMP member.

GovRAMP is based on FedRAMP, which is in turn based on NIST Special Publication (SP) 800-53. There are three (3) critical controls that have been mapped from NIST 800-53,  are required at every GovRAMP baseline, and that address encryption:

• IA-7 Cryptographic Module Authentication
• SC-12 Cryptographic Key Establishment and Management
• SC-13 Cryptographic Protection

NIST security controls in all their publications always reference the standards it wrote for cryptography – Federal Information Processing Standard 140, now in the process of transitioning from its second revision, FIPS 140-2, to its third, FIPS 140-3.

SP 800-53 states that in all cases, if encryption is employed as a mechanism to meet a security requirement, it must be FIPS 140 validated under the Cryptographic Module Validation Program (CMVP).

You can never go wrong with FIPS 140-2 validated encryption in federal government deployments or when satisfying NIST requirements.

To have a cloud product GovRAMP certified, a company must first become a Cloud Service Provider (CSP). CSPs must then navigate a multi-step process. Initially, the CSP must complete a Security Assessment Plan (SAP), which provides a detailed description of the security controls in place and how they are implemented. This plan is then assessed by a GovRAMP approved Third Party Assessment Organization (3PAO). After the assessment, the 3PAO prepares the Security Assessment Report (SAR) which details the results of the security assessment.

The CSP is also required to prepare a System Security Plan (SSP), which provides an overview of the security requirements of the system and describes the controls in place to meet those requirements. The CSP then submits the SSP, the SAR, and a Plan of Action and Milestones (POAM) to the GovRAMP PMO. The POAM should detail how any outstanding security issues will be addressed.

The GovRAMP PMO reviews the submitted documents and, if everything is in order, certifies the CSP's cloud product as GovRAMP-ready. Regular monitoring is conducted to ensure that the company's cloud product continues to meet the GovRAMP requirements. This cycle of continuous monitoring and reauthorization ensures that the cloud product remains compliant and secure in the ever-evolving cyberspace.