Demystifying FedRAMP - Part 1 - Is an NDA with FedRAMP needed to protect my company’s trade secrets?
While providing FedRAMP consulting for our customers, we’ve have had to address a variety of questions that have come to us varying from the strategic to specific questions on how a Cloud Service Provider (CSP) should treat the information in its System Security Plan (SSP). In addressing these questions, we have sometimes floated questions to the FedRAMP PMO, gotten clarification and guidance from 3PAOs, sought answers from public sources, or just learned from experience. This series is intended to help answer some of the tougher questions that aren’t readily addressed by the usual sources including:
- Part 1 - Is an NDA with FedRAMP needed to protect my company’s trade secrets?
- Part 2 - If I follow FedRAMP requirements and get a pATO, my cloud service will be well designed and attractive to Federal Agencies, right?
- Part 3 - Is system documentation included in the system boundary? What classification should be placed on our system security plan and overall package?
- Part 4 – Who is allowed to work on the system or access the SSP documentation? What about non-US Persons / non-US Citizens?
- Part 5 - What is required to accomplish continuous monitoring, and how can we prepare?
- Part 6 - How should I classify my system?
To kick off the series, we will be addressing question #1, “Is an NDA with FedRAMP needed to protect my company’s trade secrets?”.
No, you do not need a non-disclosure agreement (NDA) with the FedRAMP Program Management Office (PMO), nor will they sign one. When you deal with the FedRAMP PMO, you are dealing with a department within the General Services Administration (GSA) of the Federal Government. Federal Law in the form of the Trade Secrets Act provides protections beyond those found in typical b2b NDAs for b2g dealings, including those with the FedRAMP PMO. Contract personnel in the FedRAMP PMO are required to sign non-disclosure agreements providing a flow-down for those protections.
Additionally, the FedRAMP PMO is responsible for managing external access to a CSP’s security package. Once the CSP has achieved a pre-Authority to Operate (pATO), the Security Package is posted in MAX.gov. Inquiring agencies must submit a form to the FedRAMP PMO to review the CSP’s Security Package. The same protections apply.
Considering these protections, InfusionPoints still recommends disclosing only the necessary information to describe control implementations to a level that satisfies the 3PAO and PMO reviewers. This can be a difficult line to find, but leveraging an experienced advisory firm like InfusionPoints can help provide the right level of detail without unnecessary disclosure of trade secrets. InfusionPoints has been providing FedRAMP cloud consulting, advisory services, and cloud operations since 2013 and has experience with the full range of FedRAMP clouds including FedRAMP High, FedRAMP Moderate, FedRAMP Tailored Low Impact Software as a Service (LI-SaaS), and DoD CC SRG IL2, IL4, and IL5.
Join us for Part 2 in the series where we will answer the question, “If I follow FedRAMP requirements and get a pATO, my cloud service will be well designed and attractive to Federal Agencies, right?”