FedRAMP — short for the Federal Risk and Authorization Management Program — was created in 2011, to implement standardization for cloud services used by federal agencies. It’s built on the back of FISMA, legislation passed in 2002, to ensure that federal agencies are meeting a regulated minimum when it comes to IT security.
In other words, FedRAMP exists to regulate which cloud services agencies can and can’t use.
After all, government agencies have far more intense security needs than consumers and most businesses — FedRAMP was created to make sure those needs are met.
Before FedRAMP, there was no way for cloud services to receive approval for use by agencies. So federal agencies simply didn’t use any cloud services at any level. FedRAMP opened the doors for private cloud companies to offer services to the government.
Here’s what you need to know, to get FedRAMP approval as an IT solution.
"FedRAMP stands for Federal Risk and Authorization Management Program. It provides the FISMA compliance that's required for government data."
Corey Clements
Director of Federal Program Services
SecureIT
Why FedRAMP matters
Government agencies collect, create, and dispose of immense amounts of data. Within this, a significant amount is confidential and related to various areas of national security. Should sensitive data leak from federal teams, the consequences could be disastrous — on many levels.
At the same time, many federal agencies are already far behind the rest of the world in terms of modernizing their work methods and optimizing their efficiency. Cloud-based working could be revolutionary in these teams, and the revenue potential of getting on a government roster is appealing for many businesses.
That’s where FedRAMP comes in — outlining the requirements for cloud service providers, and making it clear to businesses and agencies alike what security measures are expected of them.
Not only that, but FedRAMP is responsible for granting certification to cloud services; allowing them to be used by various agencies. Without FedRAMP, or an equivalent system, there would be no way to use cloud-based tools in federal workflows.
Getting approved by FedRAMP: 4 things you need to know
1. It's a top-down project
First and foremost, securing a FedRAMP certification is a top-down project. Cloud providers will find the process much more manageable if they build FedRAMP standards into the product blueprint from day one. Doing the reverse — developing the product first, and then illustrating how it conforms to regulations — is a far riskier route.
Additionally, FedRAMP certification is rarely something that can be done by just a few members of the team. It’s something that needs to be a goal of your entire workforce.
The goal in a top-down approach is to make security a part of your business’s culture. Rather than thinking of it as an added feature or your ticket to FedRAMP approval, it should be something that you are constantly working to improve, implement, and innovate. It’s this level of focus that will facilitate your approval by FedRAMP and make it much easier to adhere to its requirements.
"The government knows from a contracting perspective, they are being driven to utilize and identify FedRAMP certified programs."
Maria Horton
CEO & President
EmeSec
2. Create a clear, easy-to-follow plan
As you would expect, obtaining authorization from FedRAMP is lengthy and, at times, complex. Like any long or arduous task, the best approach is to take things one step at a time — and the best way to do that is by creating a clear, step-by-step plan.
FedRAMP certification is a big challenge. Even for businesses that have certifications in other areas, there will be unique challenges due to FedRAMP’s unique requirements. To avoid being overwhelmed, it’s important to remember your end goal and to view each requirement and task as a stepping stone towards reaching that end goal. Be prepared for a challenge, and have a plan in place to tackle that challenge — phase by phase, stage-gate by stage-gate.
3. JAB, CSP, PMO, P-ATO, ATO, AO - what does this all mean?
If you’ve done any amount of FedRAMP research, then you’ve probably encountered all of the above acronyms, and more. FedRAMP is not exempt from need-to-know terminology, making it tricky to understand and remember exactly what you’re reading about.
To help, here’s a cheat sheet you can save to remember all of FedRAMP’s acronymic jargon:
- CSP – Short for cloud-service provider, a CSP is any business offering a cloud-based service, like a SaaS product. In other words, this is you.
- FedRAMP – As covered, FedRAMP is a federal program responsible for setting security guidelines for cloud-based products being used by federal agencies. They are also responsible for granting approval to CSPs, acting as a gateway between CSPs and federal agencies.
- PMO – Short for Program Management Office, this is the office in charge of managing FedRAMP.
- AO – Short for Authorizing Official, this is a representative from a federal agency with the power to give CSPs approval to offer their services to that agency.
- JAB – Short for Joint Authorization Board, this is a board of officials appointed to review and grant provisional approval to CSPs to offer their services to any federal agency.
- ATO – Short for Authorization To Operate, this is a certification granted by an AO that allows a CSP to offer services to that AO’s agency.
- P-ATO – Short for Provisional Authorization To Operate, this is a certification granted by JAB that allows a CSP to offer their services to any federal agency. It’s important to note that P-ATOs meet a broad standard that might not be accepted by certain agencies, hence the title “Provisional”. P-ATO is usually earned prior to obtaining ATOs with specific agencies.
4. Be prepared for an ongoing process
Last but not least, remember that you are in for a journey. FedRAMP approval is much more than a way to break into the federal marketplace. It’s an ongoing process of meeting standards, adapting to changing requirements, and constantly improving your security measures.
Little surprise, then, that FedRAMP has an annual review process, where your software is tested rigorously to ensure it still meets the latest standards.
For these reasons, it’s important that CSPs don’t look at FedRAMP approval as the finish line. In FedRAMP, there is no finish line — so structure your business around working in-line with FedRAMP, today, tomorrow and into the future.
Building a FedRAMP-approved service
Though seeking, achieving, and maintaining FedRAMP approval is a challenging feat, it’s one of the best moves you can make for your business.
Not only is the federal market a great market to be in, but being FedRAMP-approved also gives you credibility in other markets as well. It’s why platforms like FedHR Navigator are known for being secure and reliable.
We hope this post has given you the information and confidence to start embarking on your FedRAMP journey. The insights shared in this guide came from Maria Horton, CEO of EmeSec, and Corey Clements, Director of Federal Programs at SecureIT, interviewed by Gil Tillman on the Government Enabled podcast. Check out the full episodes, and more, here.
FedHR Navigator
A fully configurable Federal HR solution that meets your agency’s unique Human Resources requirements.
