FedRAMP (Federal Risk and Authorization Management Program) is a government-wide program that streamlines the assessment, authorization and continuous-monitoring (ConMon) requirements for cloud-based IT services. It is how the federal government ensures that its cloud IT services do not put sensitive data or systems at unnecessary risk. Bottom line, Cloud Service Providers (CSPs) wanting to serve US government agencies must first obtain a FedRAMP Authorization to Operate (ATO). The process of obtaining an ATO is commonly referred to as FedRAMP certification or FedRAMP compliance.
Designed to apply the National Institute of Standards and Technology’s (NIST) Risk Management Framework (RMF) approach to cloud solutions, the FedRAMP program embraces the concept that CSPs can build and verify their compliant Cloud Service Offerings (CSOs) once and use that verification to deliver it multiple times to multiple agencies.
The FedRAMP program was introduced in 2011 as a natural step in the government’s IT modernization efforts that began in 2002 with the E-Gov Act and establishment of FISMA (the Federal Information Security Management Act), followed by NIST’s Special Publication 800-53. NIST 800-53 is the official security control list for the federal government and is a free resource. As IT solutions rapidly migrated over the next 10 years into the cloud – where they could be reliably accessed as on-demand, flexible, and cost-effective services – regulations, standards, expectations, and program competencies around cloud cybersecurity evolved as well. Cloud services that are FedRAMP certified or compliant are listed on the FedRAMP Marketplace which is a website that is maintained by the FedRAMP Program Management Office (PMO) within the GSA.
FedRAMP defines cybersecurity baseline controls for low, moderate, and high impact systems that apply to Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS) offerings. CSPs wanting to serve US government agencies must acquire a FedRAMP Authorization to Operate (ATO), which is a unique type of certification that requires a federal sponsor. In other words, a CSP cannot acquire a FedRAMP ATO without a US Federal Agency as a sponsor or initiating agency. FedRAMP sponsorship comes in two flavors, agency sponsorship and Joint Authorization Board (JAB) sponsorship.
For organizations planning to pursue FedRAMP certification, here are some helpful resources for further analysis and planning.
FedRAMP Authorization Act: Implications for Cloud Service Providers
Preparing for FedRAMP – Whitepaper
Achieving DOD IL-4 ATO Lessons Learned
How much does it cost to prepare for FedRAMP
We hope you find these resources helpful. Please contact us to schedule a free consultation and planning discussion.