FedRAMP® authorization is a prerequisite for organizations seeking to do business with the U.S. government.
FedRAMP stands for Federal Risk and Authorization Management Program. The U.S. government established FedRAMP in 2011 to provide a unified framework for assessing, authorizing, and monitoring the security of cloud products and services used by government agencies.
The program streamlines the security assessment process, ensuring consistency and efficiency while maintaining stringent security standards.
While not a requirement for businesses who want to work with state and local governments, FedRAMP authorization is still seen as a highly desirable certification.
The importance of FedRAMP authorization and compliance
FedRAMP authorization holds immense significance for cloud service providers (CSPs) operating in the government sector. It serves as a mark of credibility, assuring federal agencies that a cloud product or service has undergone rigorous security assessments and complies with stringent requirements.
By obtaining FedRAMP authorization, technology suppliers demonstrate their commitment to protecting sensitive information and adhering to the highest security standards. For example, until recently, staffers at federal agencies were prohibited from using the WordPress content management system (CMS) in their daily work for certain scenarios and use cases.
High-profile companies and products that are FedRAMP-authorized include Adobe, Amazon Web Services, Slack, WordPress VIP, and Zendesk.
FISMA impact levels and compliance
FedRAMP compliance refers to the adherence of a CSP to the security requirements and controls outlined by the Federal Information Security and Management Act (FISMA). FISMA’s impact levels are defined by the relative risk to the agency of loss of confidentiality, integrity, or availability of the data contained within the system.
A FedRAMP CSP is authorized to store and process data at a specific impact level:
- Low Impact: The loss would lead to a limited adverse effect on the organization.
- Moderate Impact: The organization would experience serious adverse effects.
- High Impact: The organization would experience severe or catastrophic consequences.
The steps to becoming FedRAMP authorized
To become FedRAMP authorized, organizations must undergo a thorough assessment of their cloud offerings, which includes evaluating security controls, vulnerability management, incident response procedures, and data protection mechanisms.
There are two pathways to become FedRAMP authorized.
1. Joint Authorization Board Provisional Authority to Operate
The first way to achieve FedRAMP authorization is through a Joint Authorization Board Provisional Authority to Operate (JAB P-ATO). The JAB consists of representatives from the General Services Administration, the Department of Defense, and the Department of Homeland Security.
CSPs seeking JAB P-ATO must undergo a rigorous assessment by an accredited Third-Party Assessment Organization (3PAO) and then submit their security package to the JAB for review.
The P-ATO allows any agency to accept the CSP’s documentation and grant their own ATO with very little additional review.
2. Agency authorization
The other path to obtain FedRAMP authorization is through FedRAMP’s agency authorization process. In this case, the CSP seeks authorization directly from a specific federal agency or agencies. The process involves engaging an accredited 3PAO to conduct the security assessment and working closely with the agency’s Authorizing Official to align with their specific requirements.
Once this work is complete, the FedRAMP Program Management Office (PMO) reviews the assessment work done and lists the CSP as authorized on the FedRAMP marketplace.
The CSP must address any vulnerabilities identified during the assessment and develop a comprehensive security package to be submitted for the agency’s review.
If the agency grants ATO, the CSP is authorized to offer their cloud product or service to that particular agency. Other agencies can request the authorization package and grant their own ATO without going through the entire process all over again.
FedRAMP and WordPress VIP
A recent Deloitte survey revealed that 70% of federal organizations believe they are falling behind private sector websites in terms of digital capabilities, struggling especially with inflexible content management systems. This hampers their ability to create and deliver digital experiences quickly and efficiently across various platforms.
The first and only FedRAMP-authorized WordPress platform, WordPress VIP allows staffers in the public sector to use WordPress, the world’s most popular CMS, in confidence, as part of a secure and compliant platform for their digital initiatives.
Guide to FedRAMP-related acronyms
- FedRAMP: Federal Risk and Authorization Management Program
- 3PAO: Third-Party Assessment Organization
- ATO: Authority to Operate
- CSP: Cloud Service Provider
- FISMA: Federal Information Security and Management Act
- JAB P-ATO: Joint Authorization Board Provisional Authority to Operate
- PMO: Program Management Office