What is FedRAMP?

what is fedramp

FedRAMP stands for Federal Risk and Authorization Management Program. It is:

  • Designed to make sure that cloud services used by the government and other entities are secure, safe, and reliable
  • Mandatory for all organizations that provide cloud services to government entities
  • A uniform program that deals with security assessment, authorization, and observation for entities dealing with cloud services
  • Designed to save time, funds, and effort that would otherwise be expended on organizing data and information

Businesses who provide cloud products and services must take measures to protect sensitive data, and FedRAMP provides certifications for businesses to prove that their cloud services are secure.

Why Do I Need FedRAMP?

If you are a cloud service provider, you might want to obtain a FedRAMP certification for various reasons.

  • It is mandatory for working with government entities.
  • It shows a commitment to security.
  • It will elevate your business, making you stand out from the competition.
  • It limits your own vulnerabilities, making your business less risky.
  • It makes it easier to comply with other security regulations and standards.

You need FedRAMP if you intend to offer your services to government entities, but even if you aren’t, obtaining your certification can still be very beneficial to your business.

How Do I Get My FedRAMP Certification?

Obtaining your certification may be time-consuming and complex, but it is worth it. There are a couple of different ways you can get your services authorized:

  • A Provisional Authority to Operate (P-ATO) through the Joint Authorization Board
  • An Agency Authority to Operate (ATO)

If you are interested in obtaining your certification, there are certain steps you need to follow.

Ready

  • Decide which authorization strategy to use (P-ATO or ATO)
  • Find an appropriate 3rd Party Assessment Organization (3PAO) to work with
  • Allow your 3PAO to assess your cloud services
  • Your 3PAO will submit your assessment to the Program Management Office (PMO)
  • The PMO will review your assessment

At this stage, if your assessment is favourable you become FedRAMP Ready. This means that you’re all set to pursue the authorization strategy of your choice and your certification moves one step closer to being complete.

In Process

Once you have obtained the FedRAMP Ready designation, you have one year to complete the next step of the process. To complete this second step you must:

  • Have your FeadRAMP Ready designation
  • Be prioritized by the JAB
  • Finalize the cloud’s security plan
  • Work with your 3PAO to assess security and provide a written report
  • Upload all necessary security materials
  • Meet with your 3PAO, the JAB, and the PMO

This final step will determine if your certification can go any further. If so, you will obtain the FedRAMP In Process designation and move on to the final step.

Authorization

After completing this final step, you will receive your certification. The requirements of this step vary depending on which authorization process you decided to use at the beginning of the process.

P-ATO through JAB ATO
  • JAB reviews SSP; you must submit continuous monthly monitoring throughout this review process
  • You and your 3PAO revise your SSP according to JAB findings
  • JAB reviews your review
  • JAB issues you a letter granting authorization
  • The agency issues you an ATO for your cloud services
  • You and your 3PAO upload your security material
  • The PMO reviews your security materials and meets with you if necessary
  • If satisfactory, the PMO will issue you your authorization

The Importance of FedRAMP

Security and reliability are important to everyone involved in today’s digital world. We hope this article provides a good first step toward understanding FedRAMP and what it means for your business.

Shawn Corrigan

Shawn Corrigan

Shawn Corrigan is the President and Founder of Interactive Security Holdings Inc. Interactive Security has grown into a global company offering IT Compliance Auditing services for small to large companies - focused on making it obtainable, simple and affordable. With over 20 years in the BPO and Financial industry working at the executive level, Corrigan has experienced the pitfalls, trials and tribulations of bringing an enterprise organization into IT compliance. Corrigan has designed a methodology geared at guiding clients of any size to successfully achieve compliance and ultimately obtain compliance certification. Corrigan is certified as a FISMA – NIST Implementor, PCI-DSS QSA, HiTRUST Certified Practitioner and HiTRUST Certified Quality Professional, ISO 27001 Lead Auditor and Implementor