What is FedRAMP?
The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized security assessment and authorization for cloud products and services used by U.S. federal agencies. It empowers government agencies to modernize their IT infrastructures by adopting cloud-based services, while ensuring proper security and data protection mechanisms are in place.
The Benefits of FedRAMP
FedRAMP ensures consistency in the security of the government’s cloud services. It provides one set of standards for all government agencies that cloud providers must meet to be considered for deployment within the U.S. federal government. The only exception involves private cloud deployments made for a singular agency and hosted on-site at a federal facility.
As outlined by the official FedRAMP website, the benefits of FedRAMP authorization are:
- Reduces duplicative efforts, inconsistencies, and cost inefficiencies.
- Establishes a public-private partnership to promote innovation and the advancement of more secure information technologies.
- Enables the federal government to accelerate the adoption of cloud computing by creating transparent standards and processes for security authorizations and allowing agencies to leverage security authorizations on a government-wide scale.
Achieving FedRAMP Authorization
FedRAMP is one of the most rigorous software-as-a-service (SaaS) certifications in the world.
FedRAMP leverages NIST Special Publication 800 series (with a special focus on NIST 800-53 system controls) and requires cloud service providers to complete an independent security assessment conducted by a third-party assessment organization to ensure that authorizations are compliant with the Federal Information Security Management Act. The Federal Information Security Management Act is legal framework that requires agencies to protect federal information.
How does FedRAMP authorization work?
There are two approaches to obtaining FedRAMP authorization:
- Authorization through the Joint Authorization Board, which consists of members from Department of Defense, Department of Homeland Security, and Genal Services Administration. This is more time consuming since only 12 CSP are authorized each year, but authorization extends to the entire Federal Government.
- Authorization through a specific agency. Authorization for a specific agency generally takes less time; however, it requires separate authorizations for each agency (although the initial authorization package can be reused for each agency).
Steps to FedRAMP authorization
FedRAMP authorization involves four main steps:
- Package development. First, there’s an authorization kick-off meeting. Then the provider completes a System Security Plan. Next, a FedRAMP-approved third-party assessment organization develops a Security Assessment Plan.
- Assessment. The assessment organization submits a Security Assessment report. The provider creates a Plan of Action & Milestones.
- Authorization. The JAB or authorizing agency decides whether the risk as described is acceptable. If yes, they submit an Authority to Operate letter to the FedRAMP project management office. The provider is then listed in the FedRAMP Marketplace.
- Monitoring. The provider sends monthly security monitoring deliverables to each agency using the service.
FedRAMP Authorization and Marketplace
Cloud service providers that are FedRAMP authorized are listed in the FedRAMP Marketplace.
There are three designations within FedRAMP Marketplace:
- FedRAMP Ready: Indicates that a Readiness Assessment Report (RAR) has been reviewed and deemed acceptable by FedRAMP.
- FedRAMP in process: Provided to CSPs that are actively working toward FedRAMP authorization with either the Joint Authorization Board (JAB) or a federal agency.
- FedRAMP Authorized: A designation provided to CSPs that have successfully completed the FedRAMP authorization process with the JAB or a federal agency.
How Cradlepoint can help
Cradlepoint is working toward achieving FedRAMP certification for its SaaS offerings. We are committed to the protection of federal data and have carefully developed foundational processes to ensure everything we do is secure.
Please visit our Cradlepoint Foundational Security webpage for more details.
Learn more about Cradlepoint Federal solutions.