FedRAMP

FedRAMP® authorization is a prerequisite for organizations seeking to do business with the U.S. government. 

FedRAMP stands for Federal Risk and Authorization Management Program. The U.S. government established FedRAMP in 2011 to provide a unified framework for assessing, authorizing, and monitoring the security of cloud products and services used by government agencies. 

The program streamlines the security assessment process, ensuring consistency and efficiency while maintaining stringent security standards.

While not a requirement for businesses who want to work with state and local governments, FedRAMP authorization is still seen as a highly desirable certification. 

The importance of FedRAMP authorization and compliance

FedRAMP authorization holds immense significance for cloud service providers (CSPs) operating in the government sector. It serves as a mark of credibility, assuring federal agencies that a cloud product or service has undergone rigorous security assessments and complies with stringent requirements. 

By obtaining FedRAMP authorization, technology suppliers demonstrate their commitment to protecting sensitive information and adhering to the highest security standards. For example, until recently, staffers at federal agencies were prohibited from using the WordPress content management system (CMS) in their daily work for certain scenarios and use cases.  

High-profile companies and products that are FedRAMP-authorized include Adobe, Amazon Web Services, Slack, WordPress VIP, and Zendesk.

FISMA impact levels and compliance

FedRAMP compliance refers to the adherence of a CSP to the security requirements and controls outlined by the Federal Information Security and Management Act (FISMA). FISMA’s impact levels are defined by the relative risk to the agency of loss of confidentiality, integrity, or availability of the data contained within the system.

A FedRAMP CSP is authorized to store and process data at a specific impact level:

• Low Impact: The loss would lead to a limited adverse effect on the organization.

• Moderate Impact: The organization would experience serious adverse effects.

• High Impact: The organization would experience severe or catastrophic consequences.

The steps to becoming FedRAMP authorized

To become FedRAMP authorized, organizations must undergo a thorough assessment of their cloud offerings, which includes evaluating security controls, vulnerability management, incident response procedures, and data protection mechanisms. 

There are two pathways to become FedRAMP authorized. 

1. Joint Authorization Board Provisional Authority to Operate

The first way to achieve FedRAMP authorization is through a Joint Authorization Board Provisional Authority to Operate (JAB P-ATO). The JAB consists of representatives from the General Services Administration, the Department of Defense, and the Department of Homeland Security. 

CSPs seeking JAB P-ATO must undergo a rigorous assessment by an accredited Third-Party Assessment Organization (3PAO) and then submit their security package to the JAB for review.

The P-ATO allows any agency to accept the CSP’s documentation and grant their own ATO with very little additional review.

2. Agency authorization

The other path to obtain FedRAMP authorization is through FedRAMP’s agency authorization process. In this case, the CSP seeks authorization directly from a specific federal agency or agencies. The process involves engaging an accredited 3PAO to conduct the security assessment and working closely with the agency’s Authorizing Official to align with their specific requirements.

Once this work is complete, the FedRAMP Program Management Office (PMO) reviews the assessment work done and lists the CSP as authorized on the FedRAMP marketplace.

The CSP must address any vulnerabilities identified during the assessment and develop a comprehensive security package to be submitted for the agency’s review. 

If the agency grants ATO, the CSP is authorized to offer their cloud product or service to that particular agency. Other agencies can request the authorization package and grant their own ATO without going through the entire process all over again.