DataBank Establishes $725M Financing Facility to Support Growth. Read the press release.

Becoming a Certified FedRAMP Cloud Services Provider: Is It Right for You?

Becoming a Certified FedRAMP Cloud Services Provider: Is It Right for You?

Becoming a certified FedRAMP cloud services provider is an intense and often lengthy process. It’s therefore important to decide whether or not the benefits are worth the work (and costs) it entails. With that in mind, here is a quick guide to help you decide whether or not to become a certified FedRAMP cloud services provider.

The business benefits of becoming a certified FedRAMP cloud services provider

The most obvious business benefit of becoming a certified FedRAMP cloud services provider is that it enables you to work for any federal government agency. It also extends your options for working with states, local agencies, and even private companies. Many of these now either mandate FedRAMP compliance or use the FedRAMP criteria for determining the security they require from their vendors.

It may even result in you being invited to tender for work for which you would not otherwise have been considered. Once you are FedRAMP cloud compliant you are listed in the FedRAMP marketplace. This was created as a resource for federal government agencies. It is, however, open to the public and is regularly used by states, local agencies, and private businesses.

Essentially, the organizations that refer to the FedRAMP marketplace are generally doing so because they specifically want to work with cloud service vendors that are already FedRAMP compliant. They don’t want to gamble on a vendor that has lower security standards or wait for the time it would take them to go through the compliance process.

The basics of FedRAMP cloud service compliance

In short, to be granted FedRAMP cloud service compliance, you must be able to prove three things.

1. That you can keep data under proper access controls.
2. That you can maintain data integrity.
3. That you can ensure data is available whenever it is needed.

Here are the key steps you need to follow to do this.

Choose your pathway

There are two paths to acquiring it. One is through a specific government agency and the other is through the Joint Authorization Board (JAB). There are minor differences between the two routes but the basic process is essentially the same.

Gather and complete the initial documentation

The FedRAMP website has a full list of guidance, documents, and templates for organizations seeking to gain FedRAMP cloud compliance. Download and complete any that are obviously relevant to you. Be prepared to complete more documentation as you go along the process.

Conduct your FIPS 199 Assessment

Technically, your FIPS 199 assessment is to determine what category of data you store, process, and/or transmit. Your options are high, medium, low and Low-Impact Software-as-a-Service (LI-SAAS). LI-SAAS is often referred to as FedRAMP tailored.

You can, however, reverse the process and state what categories of data you want to achieve FedRAMP cloud compliance for. If you went for this approach, then you would effectively only achieve FedRAMP cloud compliance for a subset of your operations. This may, however, be all you need, at least in the short term. Over the longer term, you can upgrade to a higher standard if you wish.

Create your Readiness Assessment Report (RAR)

You can skip this step if you’re going down the agency authorization path but it is highly recommended. The RAR does exactly what its name suggests. It assesses your readiness to continue down the path of FedRAMP cloud compliance.

The only disadvantages to doing it are that you need to pay for the services of a third-party assessment organization and that it can add a little bit of extra time to the process. On the other hand, this is often money and time well-spent because it can identify issues you may face later on. Overall, therefore, it’s usually a good idea to do it even if you don’t, technically, have to.

Create a Plan of Action and Milestones (POA&M)

Technically, this point depends on whether or not any issues were identified in your RAR. In practice, it is highly unlikely that any company will get through the RAR without some issues being identified.

Obtain your FedRAMP cloud certification

Officially, only a government agency can issue an authorization to operate (ATO). JAB issues a provisional authorization to operate (P-ATO). In practical terms, however, the JAB FedRAMP cloud certification is recognized as being on a par with a regular ATO and hence confers exactly the same business benefits.

Begin (and maintain) continuous monitoring

You only have to go through the full FedRAMP cloud certification process once. You do, however, need to submit regular security audits to ensure that you are maintaining the standards you achieved. Be aware that if you do not, you will have to recertify.


See Also:

What Is FedRAMP Compliance?

Share Article


Discover the DataBank Difference

Discover the DataBank Difference

Explore the eight critical factors that define our Data Center Evolved approach and set us apart from other providers.
Download Now
Get Started

Get Started

Discover the DataBank Difference today:
Hybrid infrastructure solutions with boundless edge reach and a human touch.

Get A Quote

Request a Quote

Tell us about your infrastructure requirements and how to reach you, and one of the team members will be in touch.

Schedule a Tour

Tour Our Facilities

Let us know which data center you’d like to visit and how to reach you, and one of the team members will be in touch shortly.