The Federal Risk and Authorization Management Program (FedRAMP) is a United States government program used to elevate and authorize the offerings of cloud service providers (CSPs). This government-wide program is managed by the Office of Management and Budget (OMB), the U.S. Department of Homeland Security (DHS), the U.S. General Services Administration (GSA), the Federal Chief Information Officers (CIO) Council, the National Institutes of Standards and Technology (NIST), and the Department of Defense (DoD).
CSPs who wish to offer their cloud service offerings (CSOs) to the U.S. government must first demonstrate FedRAMP compliance. FedRAMP is mandatory for all federal agencies and offers a number of benefits. It helps increase transparency between the U.S. government and cloud providers, promotes consistency and confidence in the security of cloud solutions, and encourages near real-time continuous monitoring.
FedRAMP grants authorizations to CSPs at different impact levels, including low, moderate and high with each level referring to the intensity of the potential impact if an information system should become compromised or corrupted.
FedRAMP Low Impact Level
The low impact level of FedRAMP is considered the security level baseline. This impact level is required for organizations that manage information systems that contain publicly available data. This means that if the data should become compromised, it would have a low impact on an agency’s finances, safety, mission, and/or reputation.
FedRAMP low impact level includes data intended for public use. The program currently contains two baseline levels for systems that store low-impact data: low-impact SaaS and low baseline. The baseline for CSPs with low-impact software-as-a-service (LI-SaaS) was created to support cloud products and services that the agencies that use them consider to be low risk. Low level systems have a total of 125 controls.
FedRAMP Moderate Impact Level
The moderate impact level of FedRAMP mostly includes data that is not available to the public, such as personally identifiable information (PII). If a breach should occur that has a moderate impact on a business, it could have a serious effect on the agency’s operations.
Moderate impact level is appropriate for cloud service providers that are responsible for handling government data that is not publicly available. If a breach to the system with a moderate impact level should occur, an agency could suffer fairly significant damage to agency assets, reputational harm, and financial losses. FedRAMP moderate impact level systems have a total of 325 controls.
FedRAMP High Impact Level
The final and most serious impact level is the FedRAMP high impact level. This impact level includes sensitive federal information, such as healthcare data, emergency services, and law enforcement. If a breach should occur to a government system that contains this type of data, the results would likely be catastrophic.
Operations could potentially be shut down and financial ruin may occur. High impact level losses could also pose a threat to intellectual property and possibly harm a human life.
FedRAMP high impact level establishes a standard for protecting some of the U.S. federal government’s most sensitive and unclassified information stored in cloud computing environments. High impact level systems are required to comply with a total of 421 controls.
Why Is FedRAMP Certification Important?
Any cloud service that holds U.S. federal data is required to get FedRAMP authorization. FedRAMP was developed as a way to create consistency in the security of United States government cloud systems. The program helps evaluate and monitor agency security and provides a single set of standards for all cloud providers and government agencies.
When a cloud service provider does get FedRAMP authorization, they are listed in the FedRAMP Marketplace. This marketplace is often the first place that a government agency will look when they want to find a new cloud-based solution. The ability to find a CSP that is already FedRAMP authorized can save agencies a significant amount of time compared to the time it would take for a CSP to start the authorization process with a new vendor.
The FedRAMP Marketplace is available to the public, meaning cloud service providers that receive FedRAMP authorization and are listed in the marketplace are more likely to receive additional business from U.S. government agencies. This authorization makes clients more confident about certain security protocols and represents the provider’s commitment to maintaining the highest security standards possible.
Becoming FedRAMP certified can be a long and complex endeavor for businesses of any size. There are two main ways to become authorized with the most common being by receiving a provisional authorization from the Joint Authorization Board (JAB). A CSP may also receive agency authority to operate by establishing a relationship with a certain federal agency that is involved in the process throughout.