One of the largest buyers of cloud technology is the federal government. 

While every business working with cloud service providers should prioritize security, you might guess that the government would take extra precautions when adopting cloud tech. And you’d be right. 

Those extra precautions are called The Federal Risk and Authorization Management Program (FedRAMP). FedRAMP is mandatory for any business with a cloud service or product looking to work with government agencies — whether you’re in edtech or IT.

Here’s everything you need to know about FedRAMP, including what it is, how it works, and why it matters.

What is FedRAMP?

Created in 2011 to help federal agencies move to the cloud quickly and securely, FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud service offerings. The program was created as an essential part of the federal government's efforts to protect federally regulated data and networks from cyber threats. 

FedRAMP is, in fact, the government’s most comprehensive program to authorize CSPs. It ensures that cloud providers meet the rigorous and mandatory security guidelines set by the federal government in order to protect sensitive data from malicious attacks or unauthorized access, without requiring a slew of different compliance frameworks.

What are the benefits of FedRAMP?

With FedRAMP in place, cloud providers can undergo a single security assessment and gain authorization to operate across the entire federal government. 

This saves valuable time and resources for both cloud providers and federal agencies while also ensuring that sensitive government data remains secure. 

FedRAMP also offers credibility. Once your company is approved, it’s added to a list of authorized CSPs, which can open up new business opportunities. And, like any compliance framework, it also helps you avoid compliance violations that could result in hefty fines or loss of business. 

How do you achieve FedRAMP compliance?

There are two paths depending on which entity you choose to complete the authorization process:

• Through the Joint Authorization Board (JAB)
• Through an agency

The diagram below from the FedRAMP website shows each step in the process depending on the path you choose:

The JAB process

According to the FedRAMP website, the JAB authorizes roughly 12 cloud service offerings, or CSOs, per year. The process starts with FedRAMP Connect, which is the primary way that the JAB selects, based on various criteria, which CSOs to prioritize. 

The readiness assessment is a requirement for the JAB route. In this step, a CSP must work with an accredited third party assessment organization (3PAO) to complete a readiness assessment, resulting in a readiness assessment report (RAR) that captures a snapshot of the CSP’s current security posture.

Once a CSO is deemed ready, the JAB will perform the full security assessment with the help of an accredited 3PAO in which the security authorization package (SAP) is prepared and completed, plus a month of continuous monitoring.

The JAB Authorization process starts with a kickoff meeting where a quick determination will be made to proceed or not proceed based on a few factors. Then, the JAB performs an in-depth review of the SAP, continuous monitoring, and remediation of any outstanding issues with the 3PAO. If compliant, the JAB will issue an authorization, followed by continuous monthly monitoring.

The agency process

If your company takes the agency route, the Readiness Assessment step is not required but is highly recommended.

During the pre-authorization step, the CSP will formalize its partnership with an agency, strategize an authorization plan, and then run a kickoff meeting with the agency.

The authorization phase consists of a full security assessment in which the 3PAO performs an independent audit and develops a security assessment report (SAR). The CSP then creates a plan based on the SAR, and then the agency conducts a SAP review that might also include a SAR debrief with the FedRAMP PMO. 

Finally, after any necessary remediation, the CSP uploads the authorization package checklist and all attachments to the FedRAMP secure repository, and the 3PAO uploads all security assessment material. Then FedRAMP reviews all of the information and will update the listing to “authorized” if the company is compliant, followed by continuous monthly monitoring.

The future of FedRAMP and NIST SP 800-53

FedRAMP has recently collaborated with the National Institute of Standards and Technology (NIST) to issue updated guidance on addressing vulnerabilities among software and cloud providers. This is the same NIST behind the NIST SP 800-53 and NIST SP 800-171 security frameworks that help federal organizations manage and secure their information systems. 

In fact, FedRAMP leverages NIST SP 800-53 as one of its baseline security control standards. To achieve FedRAMP compliance, cloud service providers must implement and demonstrate compliance with the FedRAMP security controls based on NIST SP 800-53, which is built around five pillars — identify, protect, detect, respond, and recover.  This helps ensure that federal agencies can trust the cloud services they are using, as they have been tested and authorized to meet a comprehensive set of security requirements established by the NIST.

If you’re interested in seeking FedRAMP compliance, becoming NIST SP 800-53 compliant puts you ahead of the curve, streamlining the process for you and your authorizing party.

Okay! You think you need FedRAMP. What’s next?

A great first step is to choose a compliance platform — like Strike Graph — that gives you the tools you need to design, operate, and measure a robust security program. You’ll also want to look for multi-framework flexibility so your software will scale with you as you require additional security certifications as your company grows.

One to keep in mind if you plan to work with the Department of Defense (DoD), is the Cybersecurity Maturity Model Certification (CMMC).