The Federal Risk and Management Program (FedRAMP) is a cyber security risk management program for the purchase and use of cloud products and services used by U.S. federal agencies. ( Canadian Companies will be required to obtain this compliance within the next year). Only cloud service providers (CSP) with FedRAMP approval may work with government agencies. The program was initiated by the Office of Management and Budget (OMB) in response to the U.S. government’s 2011 Cloud First Policy.

Before a commercial cloud service offering (CSO) can be used by a federal agency, it must demonstrate that it meets all FedRAMP compliance requirements. These requirements are outlined in NIST 800-53 (the gold standard in security) and supplemented by the FedRAMP Program Management Office (PMO). Authorization is granted to the cloud service provider (CSP) through the provision of what is known as the FedRAMP Authority to Operate (ATO). More about this later.

CSPs must achieve the following high-level requirements to achieve FedRAMP compliance and authorization:

• Completion of FedRAMP documentation including the FedRAMP SSP
• Implementation of controls that comply with FIPS 199 categorization
• Commercial cloud offerings will be assessed by a FedRAMP Third Party Assessment Organization (3PAO)
• Development of a Plan of Action and Milestones (POA&M)
• Obtain Joint Authorization Board (JAB) Provisional ATO (P-ATO) or Agency ATO
• Implementation of a Continuous Monitoring (ConMon) program including monthly vulnerability scans

Deciding which authorization route to take is a critical decision for any CSP wanting to offer services and products to federal agencies. There are two paths to obtaining a FedRAMP Authorization to Operate (ATO). The first is to obtain authorization from a specific government agency. The second is to obtain authorization from the Joint Authorization Board (JAB). This authorization is known as FedRAMP Provisional Authorization to Operate (P-ATO).

A provisional authorization in the form of a P-ATO must be issued by the JAB as they do not have the authority to accept risk on behalf of any federal agency. Every federal agency has its own Authorization Officer (AO) and they have the responsibility to make risk decisions on behalf of the agency.

However, a P-ATO involves a much more stringent process and will have been assessed and approved by the Department of Homeland Security (DHS), Department of Defence (DoD) and the General Services Administration (GSA).

When you work with a FedRAMP-Authorized CSP, you aren’t simply meeting compliance requirements, but also providing a range of security benefits and efficiencies for your organization.

Agencies that apply the FedRAMP framework to their evaluation of cloud services and products can achieve the following benefits, including:

• Significant cost and time savings compared to carrying out independent assessments, many of which can often be redundant
• Uniform evaluation and authorization of cloud information security controls
• Enhanced insights into cloud security controls
• Confidence in the validity of assessments and the reduction of cloud security concerns
• A faster cloud adoption roadmap

The FedRAMP process may be rigorous, but once an ATO or P-ATO has been obtained, the CSP will have a wealth of opportunities open to them to expand their CSO offerings throughout various federal government agencies and offices. For federal agencies looking to adopt cloud-based solutions, FedRAMP provides confidence in approved solutions, saves time and money on evaluation, and significantly reduces the risk of cybersecurity threats.