Many federal agencies still operate on premise data centers, manned by large IT staffs. Despite private enterprise and some agencies largely shifting to cloud-based solutions for HR operations, many government entities remain wary of such a major transition in how data is handled and secured. For this reason, FedRAMP has been established as a government-wide program that standardizes security assessment, authorization and monitoring for all cloud services and products.
This approach allows a “do once, use many times” framework that will save cost, time and staff required to conduct agency security assessments that for a long time have been redundant.
FedRAMP was first announced in 2010 and formalized in a 2011 Office of Management and Budget (OMB) memo from White House Chief Information Officer, Vivek Kundra. The first Authority to Operate (ATO) was issued two years later by HHS. Since then, FedRAMP has become a required step for all cloud service providers offering solutions covered by the original memo.
What Does FedRAMP Do?
FedRAMP requires that all cloud service providers are compliant for new services acquired starting in 2012 and then for all existing services as of 2014. The joint authorization board includes CIOs from DOD, DHS and GSA and issues FedRAMP requirements to meet Federal Information Security Management Act (FISMA) and National Institute of Standards and Technology (NIST) standards.
To be FedRAMP compliant requires several steps and does not mean a cloud service provider is authorized. An ATO certification requires a several weeks process and there are multiple tiers depending on the services being provided. Steps for authorization include:
- Service provider must address all requirements aligned to the NIST 800-53, Rev. 4 for moderate impact levels.
- All system security packages must use FedRAMP templates.
- Service provider must receive assessment by an independent auditor.
- Must be posted to the FedRAMP secure repository.
- Service provider needs to have been granted a Provisional Authority to Operate (P-ATO)
This process offers many benefits when implementing new HR software, especially as you address key technology gaps related to performance management or workforce analytics. Not only does it ensure software meets the standards established by the government for protection of personal identifying information (PII), it enables faster adoption of these technologies when offered by previously authorized cloud service providers.
Benefits of Working with a FedRAMP Authorized Provider
When you work with a cloud service provider who has received their FedRAMP ATO, there are several benefits, including:
- Reduced cost, time, and resources as providers have already been assessed at a government-wide level
- An improvement to real-time security visibility
- Greater transparency between the government and the service providers they work with
- Risk based management in a more uniform approach
- Multi-Factor Authentication with CAC/PIV option in most cases.
Implementation of cloud-based technology for performance management, workforce analytics, retirement calculations, employee and labor relations, and recruitment can significantly improve performance for your agency. It reduces the time spent completing paperwork, streamlines communication, and automates tedious, detail-oriented tasks. But efficiency must be paired with security, which is what FedRAMP authorization ensures.
For HR specialists, FedRAMP offers access to a range of cloud solutions that can improve efficiency in key areas while meeting federal security requirements. This is more important than ever – enabling modernization at scale for a large workforce.
Learn more about how retirement about the key factors that will influence the retirement tools you use to support your workforce in our white paper: