What is FedRamp?
The Federal Risk and Authorization Management Program (FedRAMP) is a program that standardizes the security assessment, authorization, and continuous monitoring of cloud services and products used by U.S. federal agencies. Implemented in 2011, it provides a baseline for security controls, assessment procedures, and legal agreements that can assure federal agencies of the security of cloud-based services. FedRAMP helps government agencies migrate their sensitive data to the cloud, ensuring the data is protected in a proven, standardized manner.
Why Does FedRAMP Exist?
FedRAMP was established primarily to support the U.S. Federal Government’s ‘Cloud First’ initiative, an effort to accelerate the adoption of cloud computing across government bodies. It was also created to address the unique vulnerability of the cloud environment to intrusion and data breaches. Thus, the central purpose of FedRAMP is to provide a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services, which helps federal agencies comply with the Federal Information Security Management Act (FISMA) and associated policies.
Who Needs FedRAMP?
Any cloud service provider (CSP) that holds federal data on its systems, or intends to contract with a federal agency, must demonstrate FedRAMP compliance. This means that both Infrastructure as a Service (IaaS) and Software as a Service (SaaS) providers are required to adhere to FedRAMP guidelines. Moreover, federal agencies, state agencies, and government contractors leveraging cloud solutions, also need to ensure the platforms they choose comply with FedRAMP requirements, hence enforcing cybersecurity and minimizing risk.
How is FedRAMP Used?
The FedRAMP assessment process involves a rigorous three-step methodology: documentation of security controls, independent testing, and ongoing monitoring. In the first step, CSPs must provide documentation detailing how they meet each of the security controls specified by FedRAMP. Then, a third party assessment organization (3PAO) reviews and tests the controls for validation. Once authorized, CSPs must continuously monitor their systems and report any changes to their cloud security stack, to ensure they remain in compliance.
The Prevalence of FedRAMP
FedRAMP has become a common standard for commercial cloud services contracted by the federal government. To date, more than 150 cloud service providers, including big names like Microsoft and Amazon Web Services, are FedRAMP authorized, which underscores its pervasiveness in the public sector. Also, other entities such as state and local governments and companies from regulated industries increasingly prefer FedRAMP certified services for their security practices.