FedRAMP Certification: What Is It, Why It Matters, and Who Has It
Hacked celebrity camera rolls. State-based cyberespionage. And everything in between. Data security has a huge range of applications. And it’s a major concern for everyone who uses or supplies cloud-based services.
When government data is involved, those concerns can reach the level of national security. That’s why the U.S. government requires all cloud services used by federal agencies to meet a meticulous set of security standards known as FedRAMP.
So just what is FedRAMP, and what does it entail? You’re in the right place to find out.
Bonus: Read the step-by-step social media strategy guide with pro tips on how to grow your social media presence.
What is FedRAMP?
FedRAMP stands for the “Federal Risk and Authorization Management Program.” It standardizes security assessment and authorization for cloud products and services used by U.S. federal agencies.
The goal is to make sure federal data is consistently protected at a high level in the cloud.
Getting FedRAMP authorization is serious business. The level of security required is mandated by law. There are 14 applicable laws and regulations, along with 19 standards and guidance documents. It’s one of the most rigorous software-as-a-service certifications in the world.
Here’s a quick introduction:
FedRAMP has been around since 2012. That’s when cloud technologies really began to replace outdated tethered software solutions. It was born from the U.S. government’s “Cloud First” strategy. That strategy required agencies to look at cloud-based solutions as a first choice.
Before FedRAMP, cloud service providers had to prepare an authorization package for each agency they wanted to work with. The requirements were not consistent. And there was a lot of duplicate effort for both providers and agencies.
FedRAMP introduced consistency and streamlined the process.
Now, evaluations and requirements are standardized. Multiple government agencies can reuse the provider’s FedRAMP authorization security package.
Initial FedRAMP uptake was slow. Only 20 cloud service offerings were authorized in the first four years. But the pace has really picked up since 2018, and there are now 204 FedRAMP authorized cloud products.
FedRAMP is controlled by a Joint Authorization Board (JAB). The board is made up of representatives from:
- the Department of Homeland Security
- the General Services Administration, and
- the Department of Defense.
The program is endorsed by the U.S. government Federal Chief Information Officers Council.
Why is FedRAMP certification important?
All cloud services holding federal data require FedRAMP authorization. So, if you want to work with the federal government, FedRAMP authorization is an important part of your security plan.
FedRAMP is important because it ensures consistency in the security of the government’s cloud services—and because it ensures consistency in evaluating and monitoring that security. It provides one set of standards for all government agencies and all cloud providers.
Cloud service providers that are FedRAMP authorized are listed in the FedRAMP Marketplace. This marketplace is the first place government agencies look when they want to source a new cloud-based solution. It’s much easier and faster for an agency to use a product that’s already authorized than to start the authorization process with a new vendor.
So, a listing in the FedRAMP marketplace makes you much more likely to get additional business from government agencies. But it can also improve your profile in the private sector.
That’s because the FedRAMP marketplace is visible to the public. Any private sector company can scroll through the list of FedRAMP authorized solutions.
It’s a great resource when they’re looking to source a secure cloud product or service.
FedRAMP authorization can make any client more confident about the security protocols. It represents an ongoing commitment to meeting the highest security standards.
FedRAMP authorization significantly boosts your security credibility beyond the FedRAMP Marketplace, too. You can share your authorization on social media and on your website.
The truth is that most of your clients probably don’t know what FedRAMP is. They don’t care whether you’re authorized or not. But for those large clients who do understand FedRAMP – in both the public and private sectors – lack of authorization may be a deal-breaker.
What does it take to be FedRAMP certified?
There are two different ways to become FedRAMP authorized.
1. Joint Authorization Board (JAB) Provisional Authority to Operate
In this process, the JAB issues a provisional authorization. That lets agencies know the risk has been reviewed.
It’s an important first approval. But any agency that wants to use the service still has to issue their own Authority to Operate.
This process is best suited for cloud services providers with high or moderate risk. (We’ll dive into risk levels in the next section.)
Here’s a visual overview of the JAB process:
2. Agency Authority to Operate
In this process, the cloud services provider establishes a relationship with a specific federal agency. That agency is involved throughout the process. If the process is successful, the agency issues an Authority to Operate letter.
No matter which type of authorization you pursue, FedRAMP authorization involves four main steps:
- Package development. First, there’s an authorization kick-off meeting. Then the provider completes a System Security Plan. Next, a FedRAMP-approved third-party assessment organization develops a Security Assessment Plan.
- Assessment. The assessment organization submits a Security Assessment report. The provider creates a Plan of Action & Milestones.
- Authorization. The JAB or authorizing agency decides whether the risk as described is acceptable. If yes, they submit an Authority to Operate letter to the FedRAMP project management office. The provider is then listed in the FedRAMP Marketplace.
- Monitoring. The provider sends monthly security monitoring deliverables to each agency using the service.
The process of achieving FedRAMP authorization can be tough. But it’s in the best interest of everyone involved for cloud service providers to succeed once they start the authorization process.
To help, FedRAMP interviewed several small businesses and start-ups about lessons learned during authorization. Here are their seven best tips for successfully navigating the authorization process:
- Understand how your product maps to FedRAMP – including a gap analysis.
- Get organizational buy-in and commitment – including from the executive team and technical teams.
- Find an agency partner – one that is using your product or is committed to doing so.
- Spend time accurately defining your boundary. That includes:
- internal components
- connections to external services, and
- the flow of information and metadata.
- Think of FedRAMP as a continuous program, rather than just a project with a start and end date. Services must be continuously monitored.
- Carefully consider your authorization approach. Multiple products may require multiple authorizations.
- The FedRAMP PMO is a valuable resource. They can answer technical questions and help you plan your strategy.
FedRAMP offers templates to help cloud service providers prepare for FedRAMP compliance.
What are the categories of FedRAMP compliance?
FedRAMP offers four impact levels for services with different kinds of risk. They’re based on the potential impacts of a security breach in three different areas.
- Confidentiality: Protections for privacy and proprietary information.
- Integrity: Protections against modification or destruction of information.
- Availability: Timely and reliable access to data.
The first three impact levels are based on Federal Information Processing Standard (FIPS) 199 from the National Institute of Standards and Technology (NIST). The fourth is based on NIST Special Publication 800-37. The impact levels are:
- High, based on 421 controls. “The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.” This usually applies to law enforcement, emergency services, financial, and health systems.
- Moderate, based on 325 controls. “The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.” Nearly 80 percent of approved FedRAMP applications are at the moderate impact level.
- Low, based on 125 controls. “The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.”
- Low-Impact Software-as-a-Service (LI-SaaS), based on 36 controls. For “systems that are low risk for uses like collaboration tools, project management applications, and tools that help develop open-source code.” This category is also known as FedRAMP Tailored.
This last category was added in 2017 to make it easier for agencies to approve “low-risk use cases.” To qualify for FedRAMP Tailored, the provider must answer yes to six questions. These are posted on the FedRAMP Tailored policy page:
- Does the service operate in a cloud environment?
- Is the cloud service fully operational?
- Is the cloud service a Software as a Service (SaaS), as defined by NIST SP 800-145, The NIST Definition of Cloud Computing?
- The cloud service does not contain personally identifiable information (PII), except as needed to provide a login capability (username, password and email address)?
- Is the cloud service low-security-impact, as defined by FIPS PUB 199, Standards for Security Categorization of Federal Information and Information Systems?
- Is the cloud service hosted within a FedRAMP-authorized Platform as a Service (PaaS) or Infrastructure as a Service (IaaS), or is the CSP providing the underlying cloud infrastructure?
Keep in mind that achieving FedRAMP compliance is not a one-off task. Remember the Monitoring stage of FedRAMP authorization? That means you’ll need to submit regular security audits to ensure you stay FedRAMP compliant.
Examples of FedRAMP certified products
There are many types of FedRAMP authorized products and services. Here are a few examples from cloud service providers you know and may already use yourself.
Amazon Web Services
There are two AWS listings in the FedRAMP Marketplace. AWS GovCloud is authorized at the High level. AWS US East/West is authorized at the Moderate level.
Did you hear? AWS GovCloud (US) customers can use #AmazonEFS for mission-critical file workloads thanks to recently achieving FedRAMP High authorization. #GovCloud https://t.co/iZoKNRESPP pic.twitter.com/pwjtvybW6O
— AWS for Government (@AWS_Gov) October 18, 2019
AWS GovCloud has a whopping 292 authorizations. AWS US East/West has 250 authorizations. That’s far more than any other listing in the FedRAMP Marketplace.
Adobe Analytics was authorized in 2019. It is used by the Centers for Disease Control and Prevention and the Department of Health and Human Services. It’s authorized at the LI-SaaS level.
Adobe actually has several products authorized at the LI-SaaS level. (Like Adobe Campaign and Adobe Document Cloud.) They also have a couple of products authorized at the Moderate level:
- Adobe Connect Managed Services
- Adobe Experience Manager Managed Services.
Adobe is currently in the process of moving from FedRAMP Tailored authorization to FedRAMP Moderate authorization for Adobe Sign.
Learn more about how @Adobe Sign is working to move from FedRAMP Tailored to FedRAMP Moderate statues here: https://t.co/cYjihF9KkP
— AdobeSecurity (@AdobeSecurity) August 12, 2020
Remember that it’s the service, not the service provider, that gets authorization. Like Adobe, you might have to pursue multiple authorizations if you offer more than one cloud-based solution.
Authorized in May of this year, Slack has 21 FedRAMP authorizations. The product is authorized at the Moderate level. It’s used by agencies including:
- the Centers for Disease Control and Protection,
- the Federal Communications Commission, and
- the National Science Foundation.
The U.S. public sector can now run more of their work in Slack, thanks to our new FedRAMP Moderate authorization. And by meeting those stringent security requirements, we’re keeping things secure for every other company using Slack, too. https://t.co/dlra7qVQ9F
— Slack (@SlackHQ) August 13, 2020
Slack originally received FedRAMP Tailored authorization. Then, they pursued Moderate authorization by partnering with the Department of Veterans Affairs.
Slack makes sure to call attention to the security benefits of this authorization for private sector clients on its website:
“This latest authorization translates to a more secure experience for Slack customers, including private-sector businesses that don’t require a FedRAMP-authorized environment. All customers using Slack’s commercial offerings can benefit from the heightened security measures required to achieve FedRAMP certification.”
Trello Enterprise Cloud
Trello was just granted Li-SaaS authorization in September. Trello is so far used only by the General Services Administration. But the company is looking to change that, as seen in their social posts about their new FedRAMP status:
🏛️With Trello’s FedRAMP authorization, your agency can now use Trello to boost productivity, break down team silos, and foster collaboration. https://t.co/GWYgaj9jfY
— Trello (@trello) October 12, 2020
Also authorized in May, Zendesk is used by:
- the Department of Energy,
- the Federal Housing Finance Agency
- the FHFA Office of the Inspector General, and
- the General Services Administration.
The Zendesk Customer Support and Help Desk Platform has Li-Saas authorization.
From today we can make it a lot easier for government agencies to work with us as @Zendesk is now FedRAMP authorized. Many thanks to all the teams inside and outside Zendesk for the effort put into this. https://t.co/A0HVwjhGsv
— Mikkel Svane (@mikkelsvane) May 22, 2020
Securely inform and engage on social media with Hootsuite. From a single dashboard, you can schedule and publish content to every network, monitor relevant conversations, and measure public sentiment around programs and policies with real-time social listening and analytics. Try it free today.