Cloud computing is the new norm for most organizations; it saves time, costs, and storage space, empowering teams to increase productivity, accessibility, and reliability. Because of this, many government agencies have switched to cloud computing. But with such private, personal information, how do they keep all that data safe?
In an effort to prioritize the security of government information, the government created the FedRAMP program.
So what is FedRAMP? What is the US government hoping to achieve through it? And how can a cloud service provider get certified to participate as a client in this program?
The answers are to follow.
What Does FedRAMP Stand For?
“FedRAMP” stands for “Federal Risk and Authorization Management Program.”
What is FedRAMP?
FedRAMP is a US government program designed to promote the secure adoption and use of cloud computing services by federal government agencies. It aims to provide risk-based standards for the federal government adopting and using cloud technologies, emphasizing information protection.
What’s the Purpose of FedRAMP?
The FedRAMP program’s goal is for US federal government agencies to adopt more consistent and cost-effective cloud solutions while better securing access to sensitive government information.
Some of FedRAMP’s specific goals include:
- Expand the number of secure cloud services used by the federal government
- Improve standards for cloud access and overall security
- Form strong partnerships between the federal government and cloud service providers
FedRAMP Certification: What You Need to Know
So what does it take to become FedRAMP compliant, and what’s the point of doing so? We’ll offer a comprehensive explanation in this section.
What is FedRAMP Certification?
FedRAMP certification is the process by which a cloud service provider is authorized to hold data belonging to the US federal government.
Why FedRAMP Certification Matters
Beyond being a requirement for a cloud service provider to work with the US federal government, being FedRAMP certified is important for other reasons. These include:
- More consistent cloud security: Having all cloud service providers working with the federal government subject to the same security standards makes monitoring and evaluating the government’s cloud security more consistent.
- Faster government adoption of cloud solutions: Government agencies can simply adopt a cloud solution from a vendor that is already certified in the FedRAMP marketplace, rather than wait for a different provider to gain certification.
- Increased exposure for certified vendors: In addition to being the first companies government agencies look to for cloud solutions, FedRAMP certified vendors can also attract private sector clients because the FedRAMP approved list is publicly available.
- Elevated trust in certified vendors: Being trusted enough to handle data for the federal US government makes FedRAMP authorized vendors attractive to both public and private sector clients that want to prioritize security for their cloud services.
So FedRAMP compliance is a win-win situation for both the government and cloud service providers.
The 3 FedRAMP Certification Levels
FedRAMP authorization is a three-tier system based on how well cloud services can fulfill 3 security objectives:
- Confidentiality: How well do the service’s information access and disclosure mechanisms protect personal privacy and sensitive information?
- Integrity: How effectively does the service guard against unauthorized modifying or deleting of stored information?
- Availability: How reliable and timely is the service in providing information requested by a user?
Based on this framework, cloud services are categorized into three FedRAMP certification levels: low impact, moderate impact, and high impact.
Low Impact Level
Low-impact services are those where failure to fulfill security objectives won’t cause significant trouble for operations, assets, or governed individuals. These are typically applications that don’t store much personal information other than standard login credentials like email addresses, usernames, and passwords.
Moderate Impact Level
Moderate-impact services account for the majority of applications that are currently part of the FedRAMP program. Failure to fulfill security objectives for these services can result in them suffering significant damage to their operational assets, severe financial losses, or considerable non-physical harm to a person (or people).
High Impact Level
High-impact services are those that deal with the government’s most sensitive unclassified data. That includes data in sectors like law enforcement, emergency services, finance, and healthcare. If these services fail to achieve FedRAMP security objectives, it could result in catastrophic financial losses and even individual death(s).
So what does it take to become FedRAMP authorized? We’ll cover the process next.
FedRAMP Certification Requirements
FedRAMP requirements are split between two paths: one that goes through a specific government agency, and the other through the joint authorization board (JAB). A FedRAMP requirements checklist for each path is outlined below.
Agency authorization
- Readiness assessment (optional): The cloud service provider works with an accredited third-party assessment organization to determine its capacity for meeting federal security requirements.
- Pre-authorization: The cloud service provider makes technical and procedural adjustments to conform with federal security requirements, then meets with the agency to discuss how the cloud service will be implemented.
- Full security assessment: The accredited third-party assessment organization reviews and tests the cloud service provider’s system security plan, then helps the cloud service provider develop a plan of action to address assessment findings.
- Agency authorization: The agency reviews the security assessment, tests the cloud application’s consumer responsible controls, conducts a risk analysis, and makes the decision whether or not to issue an authority to operate (ATO) letter.
- Continuous monitoring: If a review by FedRAMP’s project management office allows for final authorization, the cloud service provider must provide monthly and annual security reports and assessments.
JAB authorization
- FedRAMP Connect: FedRAMP’s JAB selects cloud services to work on authorization with, based on their business cases and FedRAMP’s priorities.
- Readiness assessment: The cloud service provider works with an accredited third-party assessment organization to determine its capacity for meeting federal security requirements.
- Full security assessment: The accredited third-party assessment organization reviews and tests the cloud service provider’s system security plan, then helps the cloud service provider develop a plan of action to address assessment findings.
- JAB authorization: All parties review the cloud service’s security capabilities and risk profile, including through monthly monitoring updates and issue remediation, until the JAB decides to issue a provisional authority to operate (P-ATO).
- Continuous monitoring: The cloud service provider provides monthly and annual security reports and assessments to any agencies that authorize its service(s), with the JAB acting as a focal point for review and remedial action.
So how much does it cost a cloud provider company to meet FedRAMP compliance requirements? We’ll briefly cover that below.
FedRAMP Certification Cost
The cost of getting certified by FedRAMP depends on a number of factors. These include the level of certification sought (low vs. medium vs. high impact); the amount of work needed to bring a company’s technology and procedures in line with federal security standards; and the amount of consulting needed to review, test, and report on a cloud service’s security setup.
Generally, an average minimum starting budget of $250,000 isn’t unreasonable for seeking FedRAMP certification. For some higher-impact projects, though, those costs can reach around $2-3 million.
Who Regulates FedRAMP?
FedRAMP is regulated by a collective of US federal agencies that each have different roles to play in the program’s maintenance. They include:
- Joint Authorization Board: Makes decisions on which cloud services are or are not allowed to be part of FedRAMP. It includes officials from the Department of Homeland Security, the General Services Administration, and the Department of Defense.
- Office of Management and Budget: Designed the FedRAMP program, including its objectives and membership requirements.
- CIO Council: Promotes FedRAMP to federal agencies and cloud service providers.
- Project Management Office: Develops and manages FedRAMP’s daily operations.
- Department of Homeland Security: Manages ongoing monitoring of authorized cloud services, including reporting, threat detection, and incident response.
- National Institute for Standards and Technology: Advises FedRAMP on US federal government security requirements, and develops criteria for accrediting third-party assessment organizations.