What is FedRAMP?
What is FedRAMP?
Cloud Service Providers who have offerings that can be useful to the federal government should consider obtaining a FedRAMP Authorization. Public sector and private enterprises must meet security requirements on any cloud-based solution to ensure that sensitive data is properly protected, while it’s outside of their direct control and that all other relevant security policies are met. FedRAMP is an assessment and authorization process the U.S. federal agencies use to ensure proper security controls are in place when accessing cloud computing products and services.
​
Why is FedRAMP important?
FedRAMP provides a single, consistent process for validating cloud services across all U.S. federal agencies, which streamlines the procurement process for many public sector customers and ensures that consistent baseline security policies are used across different agencies.
Getting FedRAMP authorization is serious business. The FedRAMP Authorization Act was signed into law in December 2022. It was part of the FY23 National Defense Authorization Act.
​
There are 27 applicable laws and regulations involved in FedRAMP. Plus, another 26 standards and guidance documents. It’s one of the most rigorous cloud service certifications in the world.
​
What does it mean to be FedRAMP compliant?
“FedRAMP compliant” means that all FedRAMP security controls have been implemented for a particular cloud application. FedRAMP Cloud Service Offerings are categorized into one of three impact levels: Low, Moderate and High Impact Levels.
1
Security Objectives
Confidentiality: Information access and disclosure includes means for protecting personal privacy and proprietary information
Integrity: Stored information is sufficiently guarded against modification or destruction.
Availability: Ensuring timely and reliable access to information.
2
Impact Levels
Low: Low Impact is most appropriate for CSOs where the loss of confidentiality, integrity, and availability would result in limited adverse effects on an agency’s operations, assets, or individuals.
​
LI-SaaS: SaaS applications that do not store personal identifiable information (PII) beyond that generally required for login capability (i.e. username, password, and email address). Required security documentation is consolidated and the requisite number of security controls needing testing and verification are lowered relative to a standard Low Baseline authorization.
Moderate: Moderate Impact applies for most of the CSOs who receive FedRAMP authorization. This impact level is most appropriate for CSOs where the loss of confidentiality, integrity, and availability would result in serious adverse effect on an agency’s operations, assets, or individuals. Serious adverse effects could include significant operational damage to agency assets, financial loss, or individual harm that is not loss of life or serious life-threatening injuries.
High: High Impact data is usually in Law Enforcement and Emergency Services systems, Financial systems, Health systems, and any other system where loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. FedRAMP introduced their High Baseline to account for the government’s most sensitive, unclassified data in cloud computing environments, including data that involves the protection of life and financial ruin.
Is it difficult to achieve FedRAMP Authorization?
The FedRAMP Authorization process can be challenging. Without the expertise, tools and resources a well-intended 12-month FedRAMP Authorization initiative can turn into a 24 month + process costing hundreds of thousands of dollars. The level of difficulty, amount of time and costs are largely dependent on the level of expertise you employ to navigate the authorization process. Learn more about how we can help you achieve compliance quickly, efficiently and economically.
​
Who governs FedRAMP?
FedRAMP is governed by the FedRAMP Program Management Office (PMO), who defines the control sets, establishes the process, and approves all auditors and FedRAMP authorizations.