Qualys has obtained FedRAMP certification, an important seal of approval from the U.S. federal government for cloud computing service providers. This FAQ explains to our customers what is FedRAMP, why we embarked on this effort and why this is important and beneficial for you.

FedRAMP Basics & Background

What is FedRAMP?

The U.S. federal government developed FedRAMP (Federal Risk and Authorization Management Program) to provide a single, unified and consistent process for federal agencies to assess, authorize and monitor the secure use of certain types of cloud computing services.

Specifically, FedRAMP standardizes how the Federal Information Security Management Act (FISMA) applies to cloud computing services via a security assessment framework.

When did the government launch FedRAMP?

As part of the Obama Administration’s Cloud First initiative, the use of FedRAMP is mandated by the Office of Management and Budget (OMB) for all federal agencies as they migrate their systems and applications to commercial cloud computing services.

The December 2011 OMB FedRAMP policy memo requires federal departments and agencies to utilize FedRAMP-approved cloud systems.

What is the process FedRAMP seeks to improve upon?

Prior to FedRAMP, each agency conducted its own evaluations for cloud computing services. This often resulted in redundant, inconsistent, costly and inefficient efforts.

What are some specific ways FedRAMP sharpens this process?

FedRAMP establishes a baseline set of security evaluation criteria for cloud services, creating uniform and standard guidelines and requirements for all agencies.

FedRAMP also allows agencies to reuse assessments and authorizations, so that a cloud service provider can be certified once, not multiple times by each agency.

FedRAMP also offers agencies standardized sales contract language that incorporates FedRAMP requirements and best practices that they can use when engaging in a sales negotiation with a cloud computing vendor.

In other words, the “do once, use many times” approach of FedRAMP cuts costs, saves time and streamlines and improves the quality of the security evaluations of cloud computing services for all federal government agencies.

Is FedRAMP certification a one-time event that grants vendors a perpetual right to call themselves compliant?

No. FedRAMP requires that certified vendors engage in continuous post-certification monitoring. The certificate can be revoked if the vendor is found to be at any point in non-compliance with FedRAMP requirements.

This gives U.S. federal government agencies the peace of mind of knowing that their cloud services providers (CSPs) must remain vigilant and continue to comply with the FedRAMP security requirements.

Which federal agencies are involved in FedRAMP?

FedRAMP, governed by the Executive branch of the federal government, involves multiple agencies, including the National Institute of Standards and Technology (NIST), the General Services Administration (GSA), the OMB, the Department of Defense (DoD), the Department of Homeland Security (DHS) and the Federal CIO Council

The FedRAMP Joint Authorization Board (JAB), made up of the CIOs from DHS, GSA and DoD, defines and establishes the FedRAMP baseline system security controls. The FedRAMP Program Management Office (PMO) manages its day-to-day operations.

Qualys’ FedRAMP Objectives

Why did Qualys seek FedRAMP certification?

As a pioneer and leader in enterprise cloud cyber-security software, Qualys supports FedRAMP's goal of increasing the adoption, trustworthiness and consistency of secure cloud solutions in the U.S. federal government, where we have multiple customers.

FedRAMP certification is a key milestone for Qualys as we continue to communicate our offering as a cloud services provider (CSP) throughout the federal government’s civilian, military and intelligence agencies.

The Qualys SaaS model, coupled with our current FedRAMP Authority to Operate (ATO) certification as a CSP, acts as a powerful foundation for our multiple cloud services offerings.

There are different levels of FedRAMP compliance certification. Which one is Qualys aiming for?

Now that Qualys has become a FedRAMP certified CSP, Qualys foresees continuing to work with the DoD to leverage efforts towards FedRAMP+ certification. FedRAMP+ is the concept of leveraging the work done as part of the FedRAMP assessment, and adding specific security controls along with requirements necessary to meet and assure DoD’s critical mission requirements.

As seen in figure 1, continuing efforts into the DoD with FEDRAMP+ will enhance the Qualys offering beyond FEDRAMP moderate status (Impact Level 2) to FEDRAMP+ for Critical Unclassified Information (Impact Level 4).

Impact Level	Information Sensitivity	Security Controls	Location	Off-Premises Connectivity	Separation	Personnel requirements
2	PUBLIC or Non-critical Mission Information	FedRAMP v2 Moderate	US / US Outlying areas or DoD on-premises	Internet	Virtual / Logical PUBLIC COMMUNITY	National agency Check and Inquiries (NACI)
4	CUI or Non-CUI Non-Critical Mission Information Non-National Security Systems	Level 2 + CUI-Specific Tailored Set	US / US Outlying areas or DoD on-premises	NIPRNet via CAP	Virtual / Logical Limited “Public” Community Strong Virtual Separation between Tenant Systems & Information	US Persons ADP-1 Single Scope Background Investigation (SSBI) ADP-2 National Agency Check with Law and Credit (NACLC) Non-Disclosure Agreement (NDA)
5	Higher Sensitivity CUI Mission Critical Information National Security Systems	Level 4 + NSS & CUI- Specific Tailored Set	Us/ US outlying areas or DoD on-premises	NIPRNet via CAP	Virtual / logical FEDERAL GOV. COMMUNITY Dedicated Multi-Tenant Infrastructure Physically Separate from Non-Federal Systems Strong Virtual Separation Between Tenant Systems & Information
6	Classified SECRET National Security Systems	Level 5 + Classified Overlay	US / US outlying areas or DoD on-premises CLEARED / CLASSIFIED FACILITIES	SIPRNET DIRECT With DoD SIPRNet Enclave Connection Approval	Virtual / logical FEDERAL GOV. COMMUNITY Dedicated Multi-Tenant Infrastructure Physically Separate from Non-Federal and Unclassified Systems Strong Virtual Separation Between Tenant Systems & Information	US Citizen w/ Favorably Adjudicated SSBI & SECRET Clearance NDA

Figure 1 - FedRAMP Moderate certification (Impact Level 2) for Qualys as a CSP is the foundation for DoD Impact Level 4, CUI certification

(Table courtesy of the Defense Information Systems Agency, Department of Defense)

Which Qualys applications were evaluated for FedRAMP compliance?

The entire Enterprise TruRisk Platform along with its suite of applications were evaluated for FedRAMP compliance.

Who was the company in charge of doing an independent evaluation of Qualys’ platform as part of the FedRAMP certification process?

As required by the FedRAMP certification process, Qualys retained an accredited independent assessor – a Third Party Assessment Organization (3PAO) in FedRAMP parlance -- to test security implementations and collect representative evidence relevant to Qualys accreditation. Qualys’ third-party assessor is Coalfire.

Which agency sponsored Qualys’ FedRAMP certification process?

The U.S. Health and Human Services (HHS) Department

Benefits for Qualys Customers

How will existing and prospective Qualys U.S. federal government customers benefit from having Qualys be FedRAMP certified?

In a number of different ways.

Currently, agencies that use cloud computing services that haven’t been certified as compliant with FedRAMP must periodically provide written justification for their continued use of these services to the White House Office of Management and Budget (OMB).

Consequently, a FedRAMP certification for Qualys will not only give its customers security assurances, but also remove the need to justify their use of our products with the OMB.

A FedRAMP certification will also make it easier for new U.S. federal government customers to adopt our services, since they won't have to do their own baseline security evaluation before selecting Qualys products.

Is the FedRAMP process truly demanding and thus a valuable indicator of cloud service providers' security capabilities? Or is it a bureaucratic exercise any vendor can complete by just going through the motions?

FedRAMP is no walk in the park. Seeking FedRAMP compliance is an extremely rigorous process that involves meticulous, in-depth assessment of how secure a vendor’s cloud computing service ought to be maintained and preserved throughout its operating state.

Specifically, a vendor that has been FedRAMP certified has to submit multiple system and security documents, including the core System Security Plan (SSP), whose template alone is more than 400 pages long.

The SSP is a document that details a cloud system's security controls, to determine how U.S. federal information will be safeguarded. The SSP template is written in accordance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-18 titled "Revision 1: Guide for Developing Security Plans for Information Technology Systems."

A full list of the document templates that cloud computing providers and their independent evaluators must submit as part of the FedRAMP accreditation process can be found here: https://www.fedramp.gov/resources/templates-3/

Is this relevant for Qualys customers that aren't U.S. federal agencies?

Yes. While FedRAMP was designed for the benefit of federal government agencies, organizations in the private sector and at other government levels can take this certification into account when evaluating a cloud computing provider.

A cloud services provider that has been certified FedRAMP Compliant has successfully undergone a stringent, painstaking evaluation of its data security safeguards and technology, and must continue to comply with FedRAMP requirements in order to retain its certification status.