Federal Risk and Authorization Management Program [FedRAMP]

The Federal Risk and Management Program (FedRAMP) is a cyber security risk management program for the purchase and use of cloud products and services used by U.S. federal agencies. Only cloud service providers (CSP) with FedRAMP approval may work with government agencies. The program was initiated by the Office of Management and Budget (OMB) in response the to the U.S. government's 2011 Cloud First Policy.

Before a commercial cloud service offering (CSO) can be used by a federal agency, it must demonstrate that it meets all FedRAMP compliance requirements. These requirements are outlined in NIST 800-53 (the gold standard in security) and supplemented by the FedRAMP Program Management Office (PMO). Authorization is granted to the cloud service provider (CSP) through the provision of what is known as the FedRAMP Authority to Operate (ATO). More about this later.

CSPs must achieve the following high-level requirements to achieve FedRAMP compliance and authorization:

  • Completion of FedRAMP documentation including the FedRAMP SSP

  • Implementation of controls that comply with FIPS 199 categorization

  • Commercial cloud offerings will be assessed by a FedRAMP Third Party Assessment Organization (3PAO)

  • Development of a Plan of Action and Milestones (POA&M)

  • Obtain Joint Authorization Board (JAB) Provisional ATO (P-ATO) or Agency ATO

  • Implementation of a Continuous Monitoring (ConMon) program including monthly vulnerability scans

When you work with a FedRAMP-Authorized CSP, you aren't simply meeting compliance requirements, but also providing a range of security benefits and efficiencies for your organization.

Agencies that apply the FedRAMP framework to their evaluation of cloud services and products can achieve the following benefits, including:

  • Significant cost and time savings compared to carrying out independent assessments, many of which can often be redundant

  • Uniform evaluation and authorization of cloud information security controls

  • Enhanced insights into cloud security controls

  • Confidence in the validity of assessments and the reduction of cloud security concerns

  • A faster cloud adoption roadmap

The FedRAMP process may be rigorous, but once an ATO or P-ATO has been obtained, the CSP will have a wealth of opportunities open to them to expand their CSO offerings throughout various federal government agencies and offices. For federal agencies looking to adopt cloud-based solutions, FedRAMP provides confidence in approved solutions, saves time and money on evaluation and significantly reduces the risk of cybersecurity threats.

As a trusted partner and advisor to the government for over 10 years, taking part in the FedRAMP program shows, how seriously we take our relationship with our federal customers, and the investments we are making to enable federal agencies to increase security and compliance. The federal government has some of the highest standards for cloud solutions of any organization in the world. The FedRAMP authorization process validates our security controls meet the high standards required by US Federal agencies to protect government systems and infrastructure.