Guide To FedRamp Certification

Networks & Cyber Security
Written By Lauren Long

Key Takeaways:

  • Handling U.S. federal government data on the cloud requires FedRAMP certification.

  • Organizations like that are FedRAMP certified have some of the most rigorous cybersecurity


Lax cyber security that leads to a data breach can lose businesses money and customers, but when government data is involved, hacks can have national security implications. That’s why any vendor working with United States federal government data on the cloud must meet the rigorous cybersecurity standards in its Federal Risk and Authorization Management Program, known as FedRAMP certification.

FedRAMP Basics

FedRAMP was created in 2012 as a response to the Federal government’s ‘cloud-first strategy’ requiring Federal agencies to pursue cloud-based solutions as the first option. FedRAMP streamlines authorization packages for cloud service providers by creating consistent evaluations and requirements. FedRAMP is administered by a Joint Authorization Board (JAB) made up of representatives from the Department of Homeland Security, the General Services Administration, and the Department of Defense.

FedRAMP certification is focused on three areas; confidentiality, integrity, and availability. Two paths are available for organizations that want to be certified. The agency method will grant approval through working with a specific agency, or through working with the JAB itself.

Certification Process

FedRAMP certifications happen across four major steps. First, package development starts with a kickoff meeting where plans for a system security plan are laid out. A FedRAMP authorized third party crafts a security assessment plan. Next up is assessment, when the third-party assessor submits its security assessment report and the cloud provider creates a plan of action with milestones.

During the authorization phase, the JAB decides whether the risk as described is acceptable, submitting an ‘authority to operate’ letter to the FedRAMP project management office if the provider is approved and listing them on the FedRAMP marketplace. Providers then stay in the monitoring phase through the duration of their certification, sending monthly security monitoring deliverables to each agency using the cloud-based service.

The process is lengthy and challenging, for most providers it may not be worth it, but it’s important to remember a FedRAMP certification goes beyond working with the Federal government or being listed on the marketplace. A FedRAMP certification tells clients and potential customers that you take cybersecurity seriously, boosting credibility in both the public and private sectors. To help providers achieve FedRAMP certification, the JAB interviewed providers that successfully navigated the process to compile seven tips for getting approved.

Impact

Nearly 240 organizations have been FedRAMP certified, including services like Slack and Amazon Web Services. Being FedRAMP certified isn’t about being compliant, it’s about going above and beyond to offer value to clients through rigorous security. FedRAMP certifications save time and money by reducing redundant assessments, leading to faster cloud adoption and safer cloud-based communication and data transfer.

 
Customer Guides
Everything You Need To Know About BREEAM
Everything You Need To Know About BREEAM
Everything You Need to Know About NYC's Local Law 97
Everything You Need to Know About NYC's Local Law 97
How to Calculate NYC Local Law 97 Building Emissions
How to Calculate NYC Local Law 97 Building Emissions
The Difference Between Energy Efficiency vs Conservation
The Difference Between Energy Efficiency vs Conservation
What is Peak Demand Management?
What is Peak Demand Management?
Lauren Long
Previous

Guide To SOC Certifications
Next

Cyber Security Questions To Ask All Your IoT Vendors