FedRAMP stands for Federal Risk and Authorization Management Program. It is based on NIST SP 800-53 but expands this program to address the specificities of cloud computing. If you want to carry out any work for the federal government, then you probably need your cloud to be FedRAMP compliant. Even if you don’t, FedRAMP compliance can still be very useful.
FedRAMP assesses three different areas of security. These are confidentiality, integrity, and accessibility. In essence, FedRAMP requires providers to demonstrate that they can keep data away from unauthorized users, protect it from corruption and make sure that it is always available.
FedRAMP has four impact levels. These are high, medium, low and Low-Impact Software-as-a-Service also known as Li-SaaS and FedRAMP Tailored. This last option can be used as an intermediary step to a higher level of FedRAMP compliance. Doing so can allow a business to take on some work for the government while it is working on the more in-depth certification.
Prior to FedRAMP, each federal agency set its own rules on what security it expected from its vendors. This meant that every time a vendor wanted to work with a different government agency, it had to meet a new set of security requirements. Inevitably, there was a lot of duplication but there was also a lot of variation between agencies.
In 2012, FedRAMP was introduced to make life simpler for everyone. It is a standardized set of security requirements that are accepted across all federal government agencies. This means that a vendor only has to achieve FedRAMP compliance once. After this, they can bid for work with any federal government agency.
If you are a cloud service provider looking to achieve FedRAMP compliance, there are two paths you can take. The first is to get authorization from a specific government agency. The second is to get authorization from the Joint Authorization Board (JAB). JAB is made up of representatives from the Department of Homeland Security, the General Services Administration, and the Department of Defense.
If you go through the agency path, you can choose to go straight to the pre-authorization process. It is highly recommended to start with a readiness assessment and then go on to the pre-authorization process. This is, however, not mandatory.
Assuming you pass the pre-authorization process, you will then move on to the full security assessment and then finally the agency authorization process. By the end of this, you will be FedRAMP compliant but you will still be subject to continuous monitoring.
The JAB process begins with FedRAMP connect. It then goes on to a mandatory readiness assessment before the full security assessment. There is no pre-authorization stage. If you are successful, you go through the JAB authorization process. Again, once you are authorized, you will still be subject to continuous monitoring.
In theory, you could achieve FedRAMP compliance in as little as two months. In reality, you would probably be looking at a bare minimum of 4-6 months. Many authorizations can take 6-18 months. This is generally due to the combination of their complexity and the time required to get the necessary resources at either the agency or JAB.
On the plus side, you can retain your FedRAMP authorization for as long as you successfully pass the ongoing security audits you will be required to undertake.
The most obvious business benefit of FedRAMP compliance is that it enables you to work with federal government agencies. Additionally, many states and local authorities explicitly or implicitly require FedRAMP compliance. In other words, they either mandate that their vendors are FedRAMP compliant or copy and paste the FedRAMP requirements into their own contracts.
Taking this even further, some business customers may want their suppliers to have FedRAMP compliance. This could be because they work for a customer that requires it or just because they feel it demonstrates the very highest standards of cloud security. In fact, that in itself can be a strong argument for being able to meet its standards.
All businesses that achieve FedRAMP compliance are automatically listed in the FedRAMP marketplace. This was created to be a go-to resource for federal agencies. Essentially it shows them what vendors are already capable of meeting their security requirements. These are the vendors that are most likely to be asked to bid for work.
The FedRAMP marketplace is also open to the public. It tends to be checked by businesses that want the highest levels of security for their data.
Discover the DataBank Difference today:
Hybrid infrastructure solutions with boundless edge reach and a human touch.