AWS Partner Network (APN) Blog

6 Steps Towards Achieving FedRAMP Authorization on AWS with Orca Security

By Jason Patterson, Sr. Partner Solutions Architect, Security – AWS
By Louis Simonen, Sr. Director of Federal Sales – Orca Security

Orca Security

Achieving Federal Risk and Authorization Management Program (FedRAMP) authorization is a vital step for cloud service providers (CSPs) that are currently providing or looking to provide cloud services to government agencies and other FedRAMP-authorized CSPs.

As an industry-leading cloud-native application protection platform (CNAPP), the Orca Cloud Security Platform provides comprehensive security across cloud environments, covering compliance frameworks and cloud-native services to help companies navigate and reduce the complexities of achieving FedRAMP authorization on Amazon Web Services (AWS).

In this post, you will learn about the steps needed to deploy a FedRAMP-compliant environment on AWS, and how the Orca Cloud Security Platform can be used to prepare and continuously monitor your environment to meet FedRAMP authorization requirements.

Orca Security is an AWS Specialization Partner and AWS Marketplace Seller with the Security Competency. Orca is a cloud security innovation leader, providing cloud-wide, workload-deep, context-aware security and compliance for AWS without the gaps in coverage, alert fatigue, and operational costs of agent-based solutions.

Step 1: Preparing for FedRAMP and Authorization to Operate

Cloud service providers need to determine the authorization path that best fits the organization. There are two processes a CSP can follow: Agency process and Joint Authorization Board (JAB) process.

Most CSPs choose the Agency process to achieve FedRAMP authorization. This is primarily due to the JAB process requiring a competitive business case that demonstrates current use or high demand of the CSP service within the federal government. Additionally, only 12 CSPs are selected annually to receive JAB authorization.

The next crucial step in the process is identifying a Third-Party Assessment Organization (3PAO) from the FedRAMP Marketplace.

CSPs should evaluate multiple assessors and choose the one that best fits their organization and FedRAMP authorization goals. It’s also advisable that CSPs select a FedRAMP advisor that can help them meet all FedRAMP requirements and guide them through the process.

Figure 2 - FedRAMP authorization process flow.

Figure 1 – FedRAMP authorization process flow.

Most CSPs choose to follow the Agency process, as agencies that are interested in using a cloud service offering (CSO) generally are more vested in the process and willing to keep the authorization process moving along.

It’s advisable, though not necessary, to complete the readiness assessment as your first step in the authorization process. Once the readiness assessment is completed and accepted by the FedRAMP Project Management Office (PMO), the CSP moves to “FedRAMP Ready” status, which means that an agency interested in the CSP’s offering can be comfortable the CSP can and will meet their FedRAMP requirements.

Step 2: Knowing Your Impact Level and Security Categorization

Before you begin building, it’s important to understand the potential impacts a service outage or data breach may have on an agency’s assets and operations.

Federal Information Processing Standards (FIPS) 199 provides the standards for categorizing information. CSPs will need to use these standards to ensure their services meet the minimum security requirements for processing, storing, and transmitting federal data.

In general, the process consists of assigning an impact level (Low, Moderate, High) to each component of the CIA Security Triad (Confidentiality, Integrity, and Availability) for every information type stored in the system.

Guidance for determining these factors can be found in the NIST Special Publication 800-60 Volume I Revision 1: Guide for Mapping Types of Information and Information Systems to Security Categories, and in the NIST Special Publication 800-60 Volume II Revision 1: Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories.

These publications align directly with FIPS 199 and FedRAMP requirements, which can be found in the FedRAMP High, Moderate, Low, LI-SaaS Baseline Systems Security Plan (SSP), Appendix K, and will assist you in determining the security categorization of the data stored within your CSO, hosted on the Documents and Templates page of the website.

Step 3: Where to Deploy Regulated Workloads

AWS provides multiple regions that comply with FedRAMP security requirements in alignment with your systems impact level. For the Low and Moderate baselines, AWS US-East and US-West regions meet the FedRAMP security requirements.

Some agencies, departments, and workloads may require your system be restricted to only US citizens. To meet that requirement, AWS provides AWS GovCloud (US) and the services required to comply with the FedRAMP High baseline. AWS GovCloud (US) regions can help address either your FedRAMP Moderate or High compliance needs.

All AWS US-based regions have been issued a FedRAMP Provisional Authorization to Operate (P-ATO) by the Joint Authorization Board.

Step 4: Select Approved Services

AWS offers a broad range of services, but not all services have been issued a FedRAMP P-ATO. The next step in your journey is to identify the AWS services you will be using in your cloud service offering, and to validate each service is FedRAMP-authorized in the AWS region selected at the impact level needed.

Refer to the AWS Services in Scope by Compliance Program for a full list of services.

Step 5: Deploy a Security Strategy

The goal of FedRAMP is to provide agencies and organizations looking to deliver cloud services with a standardized security framework that ensures the safe and secure adoption of cloud technologies through an “authorize once, use many” approach.

FedRAMP has both technical and operational security control requirements, which can be challenging even for the most sophisticated CSP. Just to name a few on the technical side, there are requirements for asset inventory, vulnerability scanning, configuration management, malware detection, incident investigation and response, and identity and access management.

Orca’s collaboration and integration with AWS enables CSPs to deploy a single cloud-native security platform. The Orca platform provides insight into the full catalog of AWS services, including all assets, vulnerabilities, STIG and CIS benchmarks, misconfigurations, and identity issues. Reducing the number of security tools while harmonizing visibility eases the complexity of multiple tool management.

In the partnership between a CSP and their sponsoring agency, they need to begin preparing for their authorization assessment. This includes developing all of the necessary documentation, including boundary diagrams and a System Security Plan (SSP), operational processes, and deploying the technical controls, such as STIGs for FedRAMP NIST 800-53 Rev. 5.

The CSP assessment process and scheduling for achieving an Authorization to Operate (ATO) includes working with the partnering agency, the 3PAO and the FedRAMP PMO. This starts with developing a Security Assessment Plan (SAP) which incorporates the documents, activities, dates, and milestones with the partnering agency and CSP.

Upon completion and agreement between the CSP and agency, the SAP is submitted for approval by the FedRAMP PMO. When the SAP is approved by the FedRAMP PMO, a kickoff call is scheduled with the partnering agency, 3PAO, and CSP to review the CSP’s offering, assessment plan, and FedRAMP PMO engaged in the process. Once this kickoff is completed, the CSP can begin its assessment with their 3PAO.

It’s expected the 3PAO will identify issues which they’ll note and communicate to the CSP for remediation. The CSP will have time to remediate (or request an exception to) findings prior to the final Security Assessment Report (SAR) that will be delivered to the sponsor and FedRAMP PMO for review.

For findings that cannot be remediated prior to the SAR completion, the CSP creates a Plan of Action and Milestone (POA&M) that is tracked by both the Agency and FedRAMP PMO.

All of this data, testing results, operational processes and procedures, vulnerability management, and POA&M management must be continually monitored and reported to the partnering agency and FedRAMP PMO in order to maintain compliance and ATO status.

Leveraging Orca’s cloud security platform helps CSPs manage FedRAMP’s operational requirements by providing a single, simplified view on technical security compliance status daily. This single view enables CSPs to resolve issues faster, track technical security issue status, and maintain FedRAMP compliance.

Figure 1 - Orca Security’s continuous monitoring dashboard.

Figure 2 – Orca Security’s continuous monitoring dashboard.

Step 6: Continuous Monitoring, Compliance, and Reporting

A key pillar for FedRAMP authorization is establishing and maintaining a security posture aligned to the CSP’s designation level (High, Moderate, LI-SaaS). To accomplish this and maintain compliance, CSPs are required to implement and perform continuous monitoring (ConMon). The output of ConMon is reporting on the security and compliance status of the CSP’s FedRAMP environment on a periodic basis.

The frequency of ConMon reporting varies somewhat depending on the control requirements. For example, vulnerability reporting is monthly, but Auditable Events (AU-2(3)) can be annually. Overall, CSPs are required to report monthly on their security status, any deviations, and plans to remediate deviations. When using AWS’s FedRAMP-authorized services in combination with the Orca Cloud Security Platform, CSPs are able to quickly collect the technical security data required for complying with ConMon requirements.

Additionally, the Orca platform empowers CSP security teams to more efficiently aggregate information for inclusion in the ConMon reporting, through simply downloading the applicable report. Orca can also provide custom compliance reporting for instances when an agency has additional control requirements, or the CSP has other compliance or regulatory obligations.


Orca Security is uniquely positioned with AWS to help cloud service providers and agencies adopt cloud services more rapidly and securely. When leveraged together, AWS’s FedRAMP services and solutions paired with the Orca Cloud Security Platform, CSPs can reduce the complexities and improve their operational efficiency when pursuing or maintaining their FedRAMP-authorized offering.

The Orca Cloud Security Platform has earned the FedRAMP “In Process” status designation, and is in the PMO review phase. Cloud service providers will need to seek independent agency approval for use of Orca’s Cloud Security Platform within their FedRAMP environment at the time this post was published. Please refer to the FedRAMP Marketplace for the latest status designation.


Orca Security – AWS Partner Spotlight

Orca Security is an AWS Specialization Partner that provides cloud-wide, workload-deep, context-aware security and compliance for AWS without the gaps in coverage, alert fatigue, and operational costs of agent-based solutions.

Contact Orca Security | Partner Overview | AWS Marketplace