Cloud computing is the new norm for most organizations; it saves time, costs, and storage space, empowering teams to increase productivity, accessibility, and reliability. Because of this, many government agencies have switched to cloud computing. But with such private, personal information, how do they keep all that data safe?
In an effort to prioritize the security of government information, the government created the FedRAMP program.
So what is FedRAMP? What is the US government hoping to achieve through it? And how can a cloud service provider get certified to participate as a client in this program?
The answers are to follow.
“FedRAMP” stands for “Federal Risk and Authorization Management Program.”
FedRAMP is a US government program designed to promote the secure adoption and use of cloud computing services by federal government agencies. It aims to provide risk-based standards for the federal government adopting and using cloud technologies, emphasizing information protection.
The FedRAMP program’s goal is for US federal government agencies to adopt more consistent and cost-effective cloud solutions while better securing access to sensitive government information.
Some of FedRAMP’s specific goals include:
So what does it take to become FedRAMP compliant, and what’s the point of doing so? We’ll offer a comprehensive explanation in this section.
FedRAMP certification is the process by which a cloud service provider is authorized to hold data belonging to the US federal government.
Beyond being a requirement for a cloud service provider to work with the US federal government, being FedRAMP certified is important for other reasons. These include:
So FedRAMP compliance is a win-win situation for both the government and cloud service providers.
FedRAMP authorization is a three-tier system based on how well cloud services can fulfill 3 security objectives:
Based on this framework, cloud services are categorized into three FedRAMP certification levels: low impact, moderate impact, and high impact.
Low-impact services are those where failure to fulfill security objectives won’t cause significant trouble for operations, assets, or governed individuals. These are typically applications that don’t store much personal information other than standard login credentials like email addresses, usernames, and passwords.
Moderate-impact services account for the majority of applications that are currently part of the FedRAMP program. Failure to fulfill security objectives for these services can result in them suffering significant damage to their operational assets, severe financial losses, or considerable non-physical harm to a person (or people).
High-impact services are those that deal with the government’s most sensitive unclassified data. That includes data in sectors like law enforcement, emergency services, finance, and healthcare. If these services fail to achieve FedRAMP security objectives, it could result in catastrophic financial losses and even individual death(s).
So what does it take to become FedRAMP authorized? We’ll cover the process next.
FedRAMP requirements are split between two paths: one that goes through a specific government agency, and the other through the joint authorization board (JAB). A FedRAMP requirements checklist for each path is outlined below.
So how much does it cost a cloud provider company to meet FedRAMP compliance requirements? We’ll briefly cover that below.
The cost of getting certified by FedRAMP depends on a number of factors. These include the level of certification sought (low vs. medium vs. high impact); the amount of work needed to bring a company’s technology and procedures in line with federal security standards; and the amount of consulting needed to review, test, and report on a cloud service’s security setup.
Generally, an average minimum starting budget of $250,000 isn’t unreasonable for seeking FedRAMP certification. For some higher-impact projects, though, those costs can reach around $2-3 million.
FedRAMP is regulated by a collective of US federal agencies that each have different roles to play in the program’s maintenance. They include: