Becoming a certified FedRAMP cloud services provider is an intense and often lengthy process. It’s therefore important to decide whether or not the benefits are worth the work (and costs) it entails. With that in mind, here is a quick guide to help you decide whether or not to become a certified FedRAMP cloud services provider.
The most obvious business benefit of becoming a certified FedRAMP cloud services provider is that it enables you to work for any federal government agency. It also extends your options for working with states, local agencies, and even private companies. Many of these now either mandate FedRAMP compliance or use the FedRAMP criteria for determining the security they require from their vendors.
It may even result in you being invited to tender for work for which you would not otherwise have been considered. Once you are FedRAMP cloud compliant you are listed in the FedRAMP marketplace. This was created as a resource for federal government agencies. It is, however, open to the public and is regularly used by states, local agencies, and private businesses.
Essentially, the organizations that refer to the FedRAMP marketplace are generally doing so because they specifically want to work with cloud service vendors that are already FedRAMP compliant. They don’t want to gamble on a vendor that has lower security standards or wait for the time it would take them to go through the compliance process.
In short, to be granted FedRAMP cloud service compliance, you must be able to prove three things.
1. That you can keep data under proper access controls.
2. That you can maintain data integrity.
3. That you can ensure data is available whenever it is needed.
There are two paths to acquiring it. One is through a specific government agency and the other is through the Joint Authorization Board (JAB). There are minor differences between the two routes but the basic process is essentially the same.
The FedRAMP website has a full list of guidance, documents, and templates for organizations seeking to gain FedRAMP cloud compliance. Download and complete any that are obviously relevant to you. Be prepared to complete more documentation as you go along the process.
Technically, your FIPS 199 assessment is to determine what category of data you store, process, and/or transmit. Your options are high, medium, low and Low-Impact Software-as-a-Service (LI-SAAS). LI-SAAS is often referred to as FedRAMP tailored.
You can, however, reverse the process and state what categories of data you want to achieve FedRAMP cloud compliance for. If you went for this approach, then you would effectively only achieve FedRAMP cloud compliance for a subset of your operations. This may, however, be all you need, at least in the short term. Over the longer term, you can upgrade to a higher standard if you wish.
You can skip this step if you’re going down the agency authorization path but it is highly recommended. The RAR does exactly what its name suggests. It assesses your readiness to continue down the path of FedRAMP cloud compliance.
The only disadvantages to doing it are that you need to pay for the services of a third-party assessment organization and that it can add a little bit of extra time to the process. On the other hand, this is often money and time well-spent because it can identify issues you may face later on. Overall, therefore, it’s usually a good idea to do it even if you don’t, technically, have to.
Technically, this point depends on whether or not any issues were identified in your RAR. In practice, it is highly unlikely that any company will get through the RAR without some issues being identified.
Officially, only a government agency can issue an authorization to operate (ATO). JAB issues a provisional authorization to operate (P-ATO). In practical terms, however, the JAB FedRAMP cloud certification is recognized as being on a par with a regular ATO and hence confers exactly the same business benefits.
You only have to go through the full FedRAMP cloud certification process once. You do, however, need to submit regular security audits to ensure that you are maintaining the standards you achieved. Be aware that if you do not, you will have to recertify.
Discover the DataBank Difference today:
Hybrid infrastructure solutions with boundless edge reach and a human touch.