INTRODUCTION: WELCOME TO FEDRAMP
Welcome to the FedRAMP Agency Liaison Program!
The purpose of this Program is to establish a connection between the Federal Risk and Authorization Management Program (FedRAMP) Program Management Office (PMO) and cloud security authorization personnel within each federal agency. The person or team that serves as their agency’s FedRAMP Liaison(s) should be able to communicate about and articulate their agency’s internal authorization process and should be involved in their agency’s FedRAMP Authorization efforts. The aim in creating these connections is to create a governmentwide community that maintains a consistent understanding of FedRAMP’s processes and requirements.
This document will serve as an introductory guide as you enter your role as an Agency Liaison. Within this welcome package, you will find an overview of the Agency Liaison Program, the FedRAMP PMO’s expectations for those serving in the Liaison role, and helpful resources to guide you and your agency as you adopt and implement secure cloud service offerings.
We look forward to working with you and supporting your agency as it engages with FedRAMP. Should you have questions at any point, please don’t hesitate to reach out.
Sincerely,
The FedRAMP Program Management Office (PMO)
Program Background Information
The FedRAMP Agency Liaison Program started in May of 2020. The concept came from the FedRAMP Ideation Challenge. After receiving feedback from stakeholders over the course of several months, the FedRAMP PMO noticed a recurring theme: agencies needed more support to understand and implement FedRAMP’s policies, procedures, and processes. In 2020, the FedRAMP PMO’s focus for the Liaison program was identifying and enrolling Liaisons from the 24 CFO Act agencies. By the end of FY21, the program had enrolled all 24 CFO Act agencies, as well as 36 additional agencies and bureaus. The program built on its initial successes and has enrolled an additional 23 agencies for a grand total of 24 CFO Act agencies and 59 other agencies by the end of FY22.
To date, the FedRAMP PMO has provided specialized training sessions designed to help Liaisons and other key security personnel better understand key elements of the FedRAMP Authorization process. Collaboration through the Agency Liaison program has helped kickstart several Continuous Monitoring Collaboration Groups for cloud service offerings that are widely used by many agencies across the federal government. These groups have helped distribute the burden of Continuous Monitoring (ConMon) and have improved agencies’ visibility into the security posture of cloud systems. The FedRAMP PMO has also leveraged the group to connect agency business units requesting to use new cloud technology to cloud security teams within agencies, which has helped expedite the authorization of cloud service offerings.
The PMO continues to reach out to agencies where there is no representation in the program. Our goal is to have at least one representative from each federal agency that is tied to the security authorization process who can communicate to key stakeholders about their own internal processes, as well as FedRAMP’s processes and requirements. Through FY23, the PMO’s focus will remain on increasing enrollment in the program, providing opportunities for learning and engagement, and actively engaging Agency Liaisons in the authorization process.
AGENCY LIAISON SUPPORT
Our team is dedicated to your agency’s successful adoption of secure cloud technology. The FedRAMP PMO’s Agency Liaison team will be your primary FedRAMP points of contact. If you have questions about FedRAMP or anything related to cloud security, you can contact us via: FEDRAMP-LIAISONS@listserv.gsa.gov.
What Our Team Can Do For You
● Address questions about the FedRAMP Agency and JAB Authorization processes
● Provide clarity on the process for reusing FedRAMP Authorized cloud products
● Address technical questions about a cloud offering’s security package
● Facilitate conversations between Cloud Service Providers (CSP) and agencies about partnership for initial FedRAMP Authorization
● Connect you to any additional resources you might need as an Agency Liaison
FEDRAMP AGENCY LIAISON PROGRAM
Overview & Scope
The FedRAMP PMO develops and presents specialized training material to the Agency Liaison cohort. The Liaison cohort is limited to the CIO-designated Liaisons, their deputies, and any additional POCs that will serve as Liaison support. The intent of the program is to spread knowledge about the FedRAMP process to the relevant members of each federal agency. Liaisons are encouraged to invite ISSOs and relevant security personnel to training or feedback sessions as they see fit. Agency Liaisons will attend training sessions and receive the materials and skills necessary to teach others within their agency about the FedRAMP authorization process. Liaisons will also participate in forums developed to solicit feedback about the FedRAMP PMO and the services they offer. This feedback channel will enable agencies to shape the support the FedRAMP PMO provides to its agency stakeholders.
The FedRAMP Agency Liaison Program establishes a voluntary community of trained individuals that will serve as a unified voice across federal agencies as they teach and facilitate FedRAMP processes and procedures.
Goals of the Program
The focus of the FedRAMP Agency Liaison Program is to enable faster, more efficient authorizations and enable Agency Liaisons to train others within their agencies about the FedRAMP process.
The goals for the FedRAMP Agency Liaison Program are as follows:
1. Connect Agencies to the FedRAMP PMO: Establish a connection between the FedRAMP PMO and the teams that focus on cloud security at each federal agency.
2. Spread Knowledge of the FedRAMP Authorization Process: Ensure all federal agencies understand the FedRAMP authorization process and security requirements cloud service offerings must meet for use across the federal government.
3. Help Agencies Centralize Internal Processes: Designate a “go-to” for each agency that any business unit or system owner can reach out to with questions about their agency’s cloud authorization process.
4. Provide Guidance and Support: Help agencies conduct smoother, faster security authorizations that result in cleaner security packages submitted to the FedRAMP PMO.
Benefits of the Program
Program Benefits Include:
1. Centralized Communication: Establishing direct lines of communication between agencies, bureaus, and the FedRAMP PMO which creates a way for agencies to communicate with the FedRAMP PMO and each other about all things FedRAMP.
2. Increased Collaboration: Enable sharing of best practices among agencies by aggregating cloud security expertise from across the federal government.
3. Specialized Training: Expanded understanding of the FedRAMP Authorization process by inviting Liaisons to participate in special training opportunities.
4. Greater Efficiency: Designing a single point of expertise that can lead to faster authorizations with the use of fewer resources over time.
5. Improved Visibility: Increasing transparency into FedRAMP updates and strategic initiatives, as well as visibility into your own agency’s cloud landscape.
Commitment to Our Stakeholders FedRAMP is adopting a community-focused approach to developing the Liaison Program. Our team commits to providing Liaisons with the resources to be successful in training those within their agency. To continuously improve our program, FedRAMP is committed to soliciting and applying Liaison feedback into FedRAMP processes and procedures. |
||
Benefits to... |
||
Liaisons |
|
Agencies |
● Empowers those serving in the role to drive efficiency around authorizations at their agency ● Opens channels to specialized trainings and resources ● Provides opportunities for leadership and development ● Provides specialized training about the FedRAMP Authorization process and Cloud Security Requirements to key personnel |
|
● Streamlines deployment of resources by creating a single leverageable point of expertise ● Facilitates a direct line of communication to the FedRAMP PMO ● Enables coordination among sub-agencies or Bureaus ● Improves visibility into an agency’s cloud landscape and can help identify shadow-IT |
Opportunities for Engagement
- Liaison-Specific Training: Attend Quarterly FedRAMP hosted training for Agency Liaisons and relevant agency security team personnel.
- Open Office Hours:[1] [2] Meet with a member of the FedRAMP PMO to discuss topics of interest and ask questions about issues your teams are facing. Please use this link to schedule time that works best for you & your team to meet with the FedRAMP PMO. When scheduling the meeting, please include an agenda and any specific questions you have for the PMO in the Description section.
- Collaborative Sessions: Engage in quarterly open forums planned and facilitated by FedRAMP Agency Liaisons.
- Brown Bag Lunches and Guest Speakers: Sign up to hear about best practices from agencies and other key stakeholders from across the federal government (OMB, NIST, CISA, etc.).
- Conduct Training Within Your Agency: Utilize training materials developed by FedRAMP to train others at your agency about the FedRAMP authorization process and FedRAMP requirements.
Roles and Responsibilities
Level of Effort
The FedRAMP PMO recognizes that our Agency Liaisons have full-time responsibilities beyond this program. At a minimum, we ask that Agency Liaisons make themselves available as a resource to personnel within their agency who may have questions about the FedRAMP Authorization process. The rest is up to you. The PMO works to provide our liaisons with a variety of learning opportunities to choose from. The more you are able to invest into the program, the more you can expect to get out of it, but there are no hard engagement requirements for liaisons. The Liaison program conducts quarterly training sessions that are typically recorded for those who have meeting conflicts.
Agency Liaison
FedRAMP Agency Liaisons will serve as the connection between a federal agency and the FedRAMP PMO. The regular job responsibilities of the person designated to serve as an Agency Liaison should naturally overlap with the PMO’s expectations for the Agency Liaison role. Agencies may enroll a primary Liaison and a secondary Liaison. The primary Liaison should be a government employee within the A&A [3] office of their agency, subagency, or bureau. Secondary Liaisons and Liaison support may be federal employees or contractors of the federal government.
Secondary Agency Liaison
FedRAMP Agency Liaisons can designate a secondary Agency Liaison to support activities and ensure continuity of the Agency Liaison role. Secondary Agency Liaisons will:
● Have adequate knowledge of the Liaison role, as well as FedRAMP processes and requirements such that they can make informed decisions.
● Actively participate in working sessions and provide input, as needed.[4]
Liaison Support
Agencies are not limited to designating just a primary and secondary Agency Liaison. FedRAMP Agency Liaisons may indicate that there are additional staff in their office they would like to include in Liaison meetings and communications. These people should work closely in the A&A process within their agency and may be federal contractors with a government email address.
FedRAMP PMO Support
● Define training topics and provide opportunities for engagement based on feedback from the Liaison group
● Organize and conduct Liaison trainings and collaborative sessions
● Provide support to Liaisons if they would like to conduct their own training on FedRAMP-related topics within their agency
FEDRAMP TRAINING AND THE PATH AHEAD
A major goal of the Agency Liaison Program is to give Liaisons the ability to train others within their agencies about the FedRAMP process. Our team has developed a training curriculum to prepare Liaisons for this role, as well as links to some of our helpful online training resources. All Agency Liaison training materials and resources will be posted to the FedRAMP Help Center. These trainings will be designed as virtual courses.
Collaboration Opportunities & Ad-Hoc Meetings
FedRAMP PMO may call ad-hoc meetings to discuss current events or communicate updates that pertain to federal agencies. In FY22, several ad hoc meetings were called to help agencies work with their CSPs when responding to one of DHS’s Emergency Directives or Binding Operational Directives.
Additionally, the FedRAMP PMO also encourages Liaisons to use the FedRAMP Listserv to coordinate meetings amongst each other to discuss any topics of interest.
What We’ve Covered So Far
Below, you will find an overview of the training sessions and meetings that the FedRAMP PMO has held. Resources provided before or during these training sessions can be found in the FedRAMP Liaison Training Page on MAX.gov. [6]
Note: If you do not currently have a USDA Connect account you will need to register to gain access to the FedRAMP Liaison repository.
Training courses we’ve provided so far...
Topic |
Description |
Resources |
FY20 Program Kick Off
|
Agency Liaisons gained an understanding of the program and collaborated to develop a program charter. Liaisons heard from an agency with an existing role similar to a Liaison. Afterwards, the group received an outlook of the program’s training schedule for FY20. |
● Kick-Off Packet |
FedRAMP 101 & Training at Your Agency
|
The PMO gave an overview of FedRAMP and the value it provides to CSPs, Agencies, and the overall security of federal data. Training covered: ● Legal Policy and Framework ● Key Entities of FedRAMP ● Paths to Authorization: JAB vs. Agency ● Phases of the Process ● FedRAMP Marketplace and designations
The PMO also provided guidance and resources that will enable Liaisons to facilitate FedRAMP training within their agencies. The session included: ● Design and Facilitation of Trainings (including virtual tips / tricks) ● Communicating with Groups ● Customer Service Skills Agency Audience: Anyone who wants to use a cloud product. Liaisons who will be facilitating FedRAMP-oriented training sessions. |
● Packaged slides and talking points Liaisons that can customize ● Draft meeting design document ● Draft communications introducing the training sessions |
Implementing FedRAMP
|
The PMO provided Agency stakeholders with step-by-step guidance, best practices, and tips to successfully implement the FedRAMP authorization process. Training covered the three phases of the Agency Authorization Process: Pre-Authorization, during Authorization, and post-Authorization/Continuous Monitoring. Agency Audience: Information System Security Officer (ISSO), Anyone involved in the authorization process Recording available via MAX.gov; ISSO live trainings are made available throughout the year |
● ISSO in-person training |
The PMO provided an overview of how agencies can leverage authorized FedRAMP products at their agency. The PMO reviewed the steps included in the reuse process, and provided guidance to help agencies quickly and efficiently reuse authorized cloud products listed on the FedRAMP Marketplace. The PMO also provided an overview of agency responsibilities for the continuous monitoring of FedRAMP Authorized products, in addition to discussing collaborative ConMon. This training provides an understanding of how to read and review monthly CSP ConMon deliverables. Agency Audience: ISSOs, Procurement & Acquisitions personnel, personnel responsible for Continuous Monitoring Note: Dependent on completion of Implementing FedRAMP course |
||
|
The PMO provided an overview of how agencies can collaborate to review the ConMon deliverables of CSPs that are widely reused across government. This approach reduces the burden of monthly ConMon for CSPs and agencies alike. Agency Audience: ISSOs, personnel responsible for Continuous Monitoring Note: It is helpful to have completed the Understanding Reuse & Implementing ConMon FedRAMP course before viewing this training |
● Collaborative Continuous Monitoring Guide ● ConMon 101 breakout session (ISSO training) |
This session covers the FedRAMP connect process for CSPs that will pursue a JAB Authorization. The intent of this session is to educate Liaisons about the ins and outs of the JAB Authorization process. Agency Audience: Liaisons, Procurement & Acquisitions personnel |
|
|
The PMO provided tips and guidance for agency package reviewers as they review the deliverables a CSP provides throughout an initial FedRAMP Authorization effort. Agency Audience: ISSOs responsible for reviewing security packages for cloud service offerings |
● Job Aid - color coded agency review report template
|
|
An overview of FedRAMP’s efforts associated with OSCAL and security package automation. Agency Audience: Liaisons, ISSOs responsible for reviewing security packages for cloud service offerings, anyone interested in automation of tasks associated with security package reviews |
● FedRAMP OSCAL Data Bites Blog |
|
An overview of how to establish successful partnerships with CSPs when serving as an initial authorizing agency. |
|
|
The PMO provides examples and best practices for agencies when establishing Collaborative Multi-Agency ConMon groups. |
||
The PMO holds space for liaison panelists from federal agencies to discuss how their respective agencies navigate FedRAMP and any lessons learned throughout the process. |
|
|
The PMO provides agencies with updates made from Rev. 4 to Rev. 5 and the transition plan requirements |
|
|
The PMO provides agencies with updates to the Marketplace and provide them a forum to share pain points and suggestions to make it better |
|
|
The PMO shared updates on the Rev5 Baselines and Transition Plan, and then opened the floor to receive feedback on the Rev5 Baselines and Transition Plan that were specifically relevant to 3PAOs (Third Party Assessment Organizations)[8]
|
|
|
The PMO partnered with the Office of Management and Budget (OMB) to review OMB’s recently released draft guidance on Modernizing FedRAMP and provide an opportunity for liaisons to share their feedback on the OMB memo during the public comment period.
|
|
ADDITIONAL FEDRAMP RESOURCES
Some key guidance documents for agencies are listed below. These can be shared with others at your Agency that are curious about the FedRAMP Authorization process and/or leveraging FedRAMP Authorized cloud products. These guidance documents, along with a number of other helpful templates, can be found on the FedRAMP website under the “resources” tab.
Online Training Resources
FedRAMP has virtual training courses geared towards educating agencies on exactly what they need to know about FedRAMP Authorization. On our FedRAMP Learning page, you’ll find our ISSO On Demand training modules under Path 4. You can provide these to ISSOs within your Agency to familiarize them with their role and responsibilities pertaining to the FedRAMP process. Reach out to info@FedRAMP.gov, and our team can send you these online modules.
Additionally, the FedRAMP PMO facilitates in person training for Agency ISSOs. The FedRAMP PMO provides hands-on training opportunities with in-depth focus on specific topics for all audiences. These customized training events are intended to meet your Agency’s real-time needs. Follow this link to learn more about requesting an in-person Agency training, and to learn more about our ISSO training courses.
FedRAMP’s Agency Authorization Web Page
The FedRAMP Agency Authorization Web Page provides a high-level look into how an agency would approach the FedRAMP Authorization process, breaking down the process into three simple phases: preparation, authorization, and continuous monitoring. All three phases are equally important to spend time reviewing to develop a knowledge base that allows agency personnel to work through an authorization in an effective and efficient manner.
FedRAMP’s Agency Authorization Playbook
The FedRAMP Agency Authorization Playbook[10] combines best practices and tips with step-by-step guidance for agencies to follow as they work with CSPs to grant an Agency Authority to Operate (ATO). The Playbook provides information about how agencies can work with the FedRAMP PMO and CSPs through the initial FedRAMP authorization process, and identifies the roles and, responsibilities of all parties, as well as defines FedRAMP resources , and templates involved at the various stages of the process.
The FedRAMP Marketplace
The FedRAMP Marketplace is the authoritative source for FedRAMP Authorized cloud services. The Marketplace is a searchable database of all cloud services with a FedRAMP designation. It enables agencies to research authorized cloud services and Third Party Assessment Organizations (3PAOs), and provides contact information and service descriptions for each cloud service.
Package Access Request Form
When an Agency would like to leverage a FedRAMP Authorized service offering, a Package Access Request Form must be submitted to the FedRAMP PMO via info@FedRAMP.gov. This is the document that must be completed to gain access to a FedRAMP Authorized Cloud Service Provider’s security assessment package.
FedRAMP’s Guide to Reuse
FedRAMP’s Quick Guide to Reusing Authorizations for Cloud Products outlines steps and guidance to help agencies quickly and efficiently reuse authorized cloud products within the FedRAMP Marketplace.
Interested in Joining
Interested in joining the FedRAMP Agency Liaison program? Once you’ve reviewed the welcome package, contact the FedRAMP PMO via info@FedRAMP.gov. From there, you will be connected with the FedRAMP Liaison Team who will get you started!
Here[12] [13] you will find a list of the agencies who are currenlty involved in the program. We invite you to come be a part of the community and learn best practices and authorization techniques from your federal peers!
Comments
0 comments
Please sign in to leave a comment.