How to get FedRAMP Moderate Certified? FedRAMP Compliance and Marketplace Listing Explained

The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide program that promotes the adoption of secure commercial cloud services across the federal government. The FedRAMP program streamlines the acquisition of cloud services by providing a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP empowers agencies to use modern cloud technologies, with an emphasis on security and protection of federal information.

FedRAMP compliance is a requirement for commercial cloud service providers (CSP) looking to provide s a security and compliance accreditation requirement for commercial cloud service providers looking to sell their solutions to US Government agencies. FedRAMP certifications are managed by GSA which is a US Government agency takes with operating the program. Federal agencies select and procure commercial cloud services based on their security requirements that are based on specific security levels called baselines. There are four major security baselines in the FedRAMP program High, Moderate, Low and Low-Impact SaaS (LI-SaaS).

What is FedRAMP Compliance?

FedRAMP is a Government-wide Program for Authorizing Cloud Services that was established by Congress and managed by GSA. The FedRAMP program provides a standardized approach to securing systems, assessing security controls, and continuously monitoring cloud services used by federal agencies. The FedRAMP program allows commercial organizations to streamline the compliance and certification process by “certify once, use many times” across agencies. The program’s key participants are the FedRAMP PMO, JAB, federal agencies, cloud service providers, and third-party assessor organizations (3PAO). The FedRAMP’s PMO (Program Management Office) is headed by GSA and serves as the facilitator of the program. The office’s responsibilities include managing the program’s day-to-day operations, creating guidance and templates for agencies and cloud service providers to use for developing, assessing, authorizing, and continuously monitoring cloud services per federal requirements.

Understanding the FedRAMP Moderate Baseline

The FedRAMP Moderate baseline is based on Federal Information Processing Standard (FIPS) 199, which provides the standards for categorizing information and information systems. It is important that commercial cloud service providers understand the impact level of their offering(s) and correlated security categorization when developing their authorization strategy. The baselines are developed across three security objectives: Confidentiality, Integrity, and Availability.

The vast majority of federal data is classified at the Moderate baseline level. There are 325 security controls that must be implemented based on the NIST Special Publication 800-53 Rev 4 requirements. The FedRAMP Moderate baseline based on the NIST Special Publication 800-53 Rev 5 is expected to have 304 controls.

The FedRAMP Marketplace has around 300 authorized commercial cloud services, of which more than 80% are accredited at the FedRAMP Moderate baseline.

FedRAMP Marketplace Listing

The Marketplace is the authoritative source for commercial cloud service offerings (CSOs) that have achieved a FedRAMP Marketplace designation. Federal agencies can use the FedRAMP Marketplace to research which CSOs have achieved a FedRAMP Ready, In Process, or Authorized status. The FedRAMP Marketplace is a highly visited website where not only government, but also commercial organizations go to vet and select highly secure commercial cloud services. The FedRAMP certification and compliance process is considered a global gold standard for cybersecurity.

Getting listed on the FedRAMP marketplace is a very important milestone for any organization pursuing FedRAMP certification and accreditation. In general there are two ways one can get listed 1) going through a readiness assessment conducted by a 3PAO or 2) get an in-process listing by finding an agency sponsor. You can learn more about the FedRAMP Marketplace and the various designations by reading this blog.

Accelerating FedRAMP Moderate Compliance and Certification

Conducting market research and getting a sense of options and trends is essential to making an informed decision on selecting the right FedRAMP ATO (Authority To Operate) strategy.

Here are some available links with additional content for research.

This blog post provides details on specific cost line items and critical drivers. The blog post also includes comments from FedRAMP SME’s and CISO/CTO’s of companies that have successfully achieved FedRAMP compliance.

Are you interested in FedRAMP certification? Schedule a free consultation to learn more about our FedRAMP Accelerator Assessment that can reduce the time and cost of your project by over 40%.