FedRAMP (the Federal Risk and Authorization Management Program) was launched by a group of federal agencies that realized the efficiency of having a single risk-based standard for cloud service providers (CSPs), rather than than each federal agency developing its own security assessment program from scratch when forging a business relationship with an industry partner.
As all organizations (including government agencies) grow more interconnected and rely more heavily on the cloud environment, cloud security and risk assessment should rise to the forefront of everyone’s mind. So let’s examine what FedRAMP is and how public-sector cybersecurity solutions can help you achieve FedRAMP compliance.
What is FedRAMP (Federal Risk and Authorization Management Program) and how was it created?
FedRAMP was created in 2011 by the Office of Management and Budget (OMB), and today is used across the entire U.S. federal government. FedRAMP itself is overseen by a group of government agencies including the General Service Administration (GSA), the Department of Defense (DOD) and the Department of Homeland Security (DHS). Founding agencies are all represented on the Joint Authorization Board (JAB).
It’s the JAB that selects and authorizes the cloud technologies that become FedRAMP-authorized, and it’s also the JAB that provides continuous monitoring of these products to make sure they meet cybersecurity and National Institute of Standards and Technology (NIST) standards.
As an added layer of scrutiny, JAB employs a network of third-party assessment organizations (3PAOs) which are responsible for verifying that an individual cloud solution is indeed safe. 3PAOs also provide an overall risk assessment of the individual cloud services provider and report back to the JAB.
That’s a lot of acronyms—what does it all mean to a small business or a smaller state or local government agency?
It means that instead of undergoing a long and tedious individual trial of cloud service providers, products and solutions, a government agency can simply look for a cloud solution that is FedRAMP-authorized and eliminate all guesswork as to whether that solution is safe.
FedRAMP provides a standardized approach to testing cloud service offerings that works well for government agencies small or large. FedRAMP authorization also assures that any authorized cloud product complies with the Federal Information Security Management Act (FISMA), which requires that all federal agencies take steps to protect the sensitive data they manage.
How do cloud service providers get authorized?
The JAB selects about a dozen cloud service providers and solutions to work with each year. If a provider passes a detailed scrutiny and testing program, it receives what’s called a JAB Provisional Authority to Operate (P-ATO).
The cloud products progress through three steps toward authorization:
- A preparation phase, which includes a security assessment, readiness assessment, and a full security assessment;
- A JAB authorization phase with a full review of the cloud solution‘s functionality (this takes 12 to 13 weeks);
- And after the authorization process comes the ongoing monitoring of the cloud solution by the JAB. This is especially important because ongoing monitoring means that authorized cloud products must stay current on cybersecurity threats or they will lose their FedRAMP authorization.
The FedRAMP website has a detailed outline of the process as it is experienced by cloud service providers, federal agencies and 3PAOs.
Why is FedRAMP important to local and state government agencies?
Consider the example of city hall upgrading its computer information systems. One desired goal is to store consumers’ utility bills in the cloud. Since those bills contain protected personal data such as names, addresses and phone numbers, city hall will need to find a software-as-a-service-program (SAAS) that meets high security standards.
FedRAMP simplifies the task of finding a reliable, trustworthy cloud service provider. City hall can simply search for FedRAMP-approved vendors, rather than embark on a tedious, exhaustive vendor review of its own.
Cybersecurity and compliance management tools
As you forge a path for your business through the pandemic and our highly interdependent world, many tools can help keep your business safe and your data information secure, as you migrate into a cloud based environment.
ZenGRC’s compliance, risk, and workflow management software is an intuitive, easy-to-understand platform that not only keeps track of your workflow, but also lets you find areas of high risk before that risk has manifested as a real threat.
Worry-free compliance management is the Zen way. For more information on how ZenGRC can enable your CMS, contact us for a demo.