What is a FedRAMP Certification?

Cloud service providers (CSPs) that want to work in the federal government sector must obtain FedRAMP certification. FedRAMP certification benefits small and large CSPs because it boosts security, increases efficiency, and offers them the opportunity to do business with U.S. government agencies.

FedRAMP, the Federal Risk and Authorization Management Program, is a government-wide program that determines if the cloud products and services offered by CSPs are secure enough to be used by federal agencies

The FedRAMP program was established in December 2011 to provide a standardized approach to security assessments, authorization, and continuous monitoring for cloud products and services. CSPs that offer software-as-a-service (SaaS)  solutions and other cloud services are assessed by third-party assessment organizations, or 3PAOs, that certify them as FedRAMP compliant if they meet the intensive information security guidelines of the program. 

To maintain a FedRAMP authorization, a CSP must monitor and assess its security controls regularly, and demonstrate that the security of its cloud service offering continues to meet FedRAMP standards.

What is the FedRAMP Certification Process?

FedRAMP certification is a long, difficult, and potentially expensive process. Unlike FISMA (Federal Information Security Management Act), which allows organizations to perform their own assessments, FedRAMP certification must be performed by a certified 3PAO.

A cloud services provider can get certified in one of two ways, according to FedRAMP.gov:

  • A Joint Authorization Board (JAB) provisional authorization (P-ATO)
  • Via an Agency Authority to Operate


Joint Authorization Board (JAB) Provisional Authorization

The Joint Authorization Board consists of representatives from the DoD (U.S. Department of Defense), the DHS (U.S. Department of Homeland Security), and the GSA (General Services Administration). The JAB sets the FedRAMP accreditation standards and reviews authorization packages, including results from the assessments done by the 3PAOs. 

In this case, the CSP has to prove that there is a demonstrated demand for its service by a large number of agencies. As such, the JAB is good for providers offering services that can be consumed by multiple agencies. 

Agency Authority to Operate

The second way a CSP can obtain certification is via an Agency Authority to Operate. This is done through a specific agency, which grants the CSP the final authority to operate (ATO). As part of the agency certification or authorization process, a CSP works directly with an agency sponsor, which reviews the cloud service’s security package. This approach is best for cloud services providers that have developed what can be described as niche offerings. 

To decide which type of authorization is right for a particular cloud service offering, the CSP should review both processes and take into account the system deployment model, technology stack, market demand, and impact level. 

Federal agencies categorize CSPs’ cloud service offerings into one of three impact levels: low, moderate, and high — different types of data require different types of security and protection. These levels refer to the severity of a potential impact that may occur if an information system is jeopardized.

Even if a CSP doesn’t work with government agencies, adopting the FedRAMP security controls as part of its business plan will provide its customers with the peace of mind that comes from knowing they’re working with a provider that has been carefully vetted by the U.S. government.