FedRAMP Certification: What Is It, Why Is It Necessary, And Who Obtained It?
Hacked celebrity camera roles. State cyber espionage. And everything in between. Data security has a wide variety of uses. This is a major concern for anyone who uses or provides cloud-based services.
When it comes to government data, these concerns can reach levels of national security. Because of this, the US government requires that all cloud services used by federal agencies meet a set of security standards known as FedRAMP.
What is FedRAMP and what does it include? You are in the right place to find out.
Bonus: Read the step-by-step guide to social media strategy with professional tips on how to increase your social media presence.
What is FedRAMP?
FedRAMP stands for the "Federal Risk and Authorization Management Program". It standardizes security assessment and authorization for cloud products and services used by US federal agencies.
The aim is to ensure that federal data in the cloud is consistently protected at a high level.
Getting FedRAMP authorization is serious business. The required level of security is required by law. There are 14 applicable laws and regulations, as well as 19 standards and guidelines. It's one of the most stringent software-as-a-service certifications in the world.
Here's a quick introduction:
FedRAMP has been around since 2012, at which point cloud technologies really began to replace obsolete tethered software solutions. It emerged from the US government's “Cloud First” strategy. This strategy required agencies to consider cloud-based solutions as their first choice.
Before FedRAMP, cloud service providers had to create an authorization package for every agency they wanted to work with. The requirements were not consistent. And there was a lot of double effort for both vendors and agencies.
FedRAMP introduced consistency and streamlined the process.
Ratings and requirements are now standardized. Several government agencies can reuse the provider's FedRAMP authorization security package.
The initial FedRAMP uptake was slow. Only 20 cloud service offerings were approved in the first four years. But the pace has really accelerated since 2018, and there are now 204 FedRAMP authorized cloud products.
FedRAMP is controlled by a Joint Authorization Board (JAB). The board consists of representatives from:
- the Department of Homeland Security
- the General Services Administration and
- the Ministry of Defense.
The program is endorsed by the US government's Federal Chief Information Officers Council.
Why is FedRAMP certification important?
All cloud services that contain federal data require FedRAMP authorization. So if you're looking to partner with the federal government, FedRAMP authorization is an important part of your security plan.
FedRAMP is important because it ensures the consistency of the security of government cloud services – and because it ensures consistency in assessing and monitoring that security. It offers a range of standards for all government agencies and all cloud providers.
FedRAMP Authorized Cloud Service Providers are listed on the FedRAMP Marketplace. This marketplace is the first place government agencies look for a new cloud-based solution. It is much easier and faster for an agency to use an already authorized product than to start the authorization process with a new provider.
Listing on the FedRAMP Marketplace increases the likelihood that you will receive additional business from government agencies. But it can also improve your profile in the private sector.
This is because the FedRAMP marketplace is visible to the public. Any private sector company can scroll through the list of FedRAMP authorized solutions.
This is a great resource if you are looking to source a secure cloud product or service.
FedRAMP authorization enables each client to gain more confidence in the security protocols. It is an ongoing commitment to meet the highest safety standards.
The FedRAMP authorization significantly increases your security credibility beyond the FedRAMP marketplace. You can share your authorization on social media and on your website.
The truth is, most of your customers probably don't know what FedRAMP is. They don't care if you are authorized or not. But for large customers who understand FedRAMP in both the public and private sectors, a lack of authorization can be a deal breaker.
What does it take to be FedRAMP certified?
There are two different ways to get FedRAMP authorized.
1. Provisional operating authority of the Joint Authorization Board (JAB)
In this process, the JAB issues a preliminary authorization. This tells the agencies that the risk has been reviewed.
It's an important first approval. However, each agency that wants to use the service must issue its own operating license.
This process is best suited for high or medium risk cloud service providers. (We'll look at risk levels in the next section.)
Here is a visual overview of the JAB process:
2. Authority to operate the agency
In this process, the cloud service provider creates a relationship with a specific federal authority. This agency is involved throughout the process. If the process is successful, the agency issues a letter of authorization to operate.
FedRAMP authorization steps
Regardless of the type of authorization you're pursuing, FedRAMP authorization involves four main steps:
- Package development. First there is an authorization kick-off meeting. The provider then creates a system security plan. Next, a FedRAMP-approved third-party assessment organization develops a safety assessment plan.
- Rating. The assessment organization submits a safety assessment report. The provider creates an action plan and milestones.
- Approval. The JAB or the licensing authority decides whether the risk described is acceptable. If so, send an operational letter to the FedRAMP project management office. The provider will then be listed in the FedRAMP Marketplace.
- Monitoring. The provider sends monthly security monitoring results to each agency through the service.
FedRAMP authorization best practices
The process of obtaining FedRAMP authorization can be difficult. However, it is in the best interests of all parties that cloud service providers are successful once the authorization process has started.
To help, FedRAMP interviewed several small businesses and startups about the insights it gained from authorization. Here are the seven best tips for successfully navigating the authorization process:
- Understand how your product is mapped to FedRAMP – including a gap analysis.
- Get organizational buy-in and commitment – also from the management team and technical teams.
- Find an agency partner – one who uses or is committed to your product.
- Spend time precisely defining your limit. This contains:
- internal components
- Connections to external services and
- the flow of information and metadata.
- Think of FedRAMP as an ongoing program, not just a project with a start and end date. Services must be continuously monitored.
- Think carefully about your authorization approach. Multiple entitlements may be required for multiple products.
- The FedRAMP PMO is a valuable resource. They can answer technical questions and help you plan your strategy.
FedRAMP offers templates that cloud service providers can use to prepare for FedRAMP compliance.
What are the FedRAMP Compliance Categories?
FedRAMP offers four levels of impact for services with different types of risk. They are based on the potential impact of a security breach in three different areas.
- Confidentiality: Protection of privacy and protected information.
- Integrity: Protection against modification or destruction of information.
- Availability: Timely and reliable access to data.
The first three levels of impact are based on the Federal Information Processing Standard (FIPS) 199 of the National Institute for Standards and Technology (NIST). The fourth is based on NIST special publication 800-37. The effects are:
- High, based on 421 controls. "The loss of confidentiality, integrity, or availability is expected to have serious or catastrophic adverse effects on an organizational process, organizational asset, or individual." This usually applies to law enforcement, emergency services, financial, and healthcare systems.
- Moderate, based on 325 controls. "The loss of confidentiality, integrity, or availability is expected to have a serious adverse effect on an organizational process, organizational asset, or individual." Almost 80 percent of the approved FedRAMP requests have a moderate level of impact.
- Low based on 125 controls. "The loss of confidentiality, integrity, or availability is expected to have limited adverse effects on an organizational process, organizational asset, or individual."
- Low-Impact-Software-as-a-Service (LI-SaaS), based on 36 controls. For "low risk systems for applications such as collaboration tools, project management applications, and tools that aid in the development of open source code." This category is also known as FedRAMP Tailored.
This last category was added in 2017 to make it easier for agencies to approve “low risk use cases”. To qualify for FedRAMP Tailored, the vendor must answer yes to six questions. These will be posted on the FedRAMP Custom Policy page:
- Does the service work in a cloud environment?
- Is the cloud service fully functional?
- Is the cloud service a software as a service (SaaS) in the sense of NIST SP 800-145, the NIST definition of cloud computing?
- The cloud service does not contain any personal data (PII), unless this is necessary to provide a login function (user name, password and email address).
- Does the cloud service have a low security impact as defined in FIPS PUB 199, Standards for the Security Categorization of Federal Information and Information Systems?
- Is the cloud service hosted on a FedRAMP-authorized platform as a service (PaaS) or infrastructure as a service (IaaS) or does the CSP provide the underlying cloud infrastructure?
Note that becoming FedRAMP compliant is not a one-time task. Do you remember the monitoring phase of FedRAMP authorization? That means you'll need to conduct regular security reviews to make sure you're staying FedRAMP compliant.
Examples of FedRAMP certified products
There are many types of FedRAMP authorized products and services. Here are some examples of cloud service providers you know and may already use yourself.
Amazon Web Services
There are two AWS listings on the FedRAMP Marketplace. AWS GovCloud is high-level authorized. AWS US East / West is mid-level authorized.
Have you heard? AWS GovCloud (US) customers can use #AmazonEFS for mission-critical file workloads as they recently received FedRAMP High authorization. #GovCloud https://t.co/iZoKNRESPP pic.twitter.com/pwjtvybW6O
– AWS for Government (@AWS_Gov) October 18, 2019
AWS GovCloud has a whopping 292 permissions. AWS US East / West has 250 entitlements. This is way more than any other listing on the FedRAMP marketplace.
Adobe Analytics was authorized in 2019. It is used by the Centers for Disease Control and Prevention and the Ministry of Health and Human Services. It is authorized at the LI SaaS level.
Adobe has actually authorized several products at the LI SaaS level. (Such as Adobe Campaign and Adobe Document Cloud.) Also, some mid-level products are authorized:
- Adobe Connect Managed Services
- Adobe Experience Manager managed services.
Adobe is currently in the process of moving from customized FedRAMP authorization to moderate FedRAMP authorization for Adobe Sign.
Learn more about how @Adobe Sign is working to move from FedRAMP Tailored to FedRAMP Moderate Statues here: https://t.co/cYjihF9KkP
– AdobeSecurity (@AdobeSecurity) August 12, 2020
Remember that the service, not the service provider, receives the authorization. As with Adobe, if you offer more than one cloud-based solution, you may need to apply for multiple permissions.
Slack was authorized in May of this year and has 21 FedRAMP permissions. The product is authorized at the middle level. It is used by agencies including:
- the Centers for Disease Control and Protection,
- the Federal Communications Commission and
- the National Science Foundation.
With our new FedRAMP Moderate permit, the US public sector can now do more of its work in Slack. By meeting these stringent security requirements, we keep every other company that uses Slack secure. https://t.co/dlra7qVQ9F
– Slack (@SlackHQ) August 13, 2020
Slack originally received FedRAMP Tailored approval. Then they pursued a moderate permit by working with the Department of Veterans Affairs.
Slack announces the security benefits of this approval for private customers on its website:
“This latest authorization means a more secure experience for Slack customers, including private sector companies, that do not require a FedRAMP authorized environment. All customers using Slack's commercial offerings can benefit from the increased security measures required to achieve FedRAMP certification. "
Trello Enterprise Cloud
Trello was just granted Li-SaaS approval in September. Trello is currently only used by the General Services Administration. However, the company wants to change that, as can be seen from the social posts on its new FedRAMP status:
🏛️With Trello's FedRAMP authorization, your agency can now use Trello to increase productivity, break down team silos, and encourage collaboration. https://t.co/GWYgaj9jfY
– Trello (@trello) October 12, 2020
Zendesk was also authorized in May and is used by:
- the Ministry of Energy,
- the Federal Housing Agency
- the FHFA office of the General Inspector and
- the General Services Administration.
The Zendesk platform for customer support and help desk has Li-Saas authorization.
Starting today, we can make it a lot easier for government agencies to work with us because @Zendesk is now FedRAMP authorized. Thanks to all the teams inside and outside of Zendesk for the effort. https://t.co/A0HVwjhGsv
– Mikkel Svane (@mikkelsvane) May 22, 2020
Use Hootsuite to securely inform yourself and use social media. From a single dashboard, you can schedule and publish content on any network, monitor relevant conversations, and measure public opinion on programs and policies in real time using social listening and analytics. Try it for free today.