It’s been six years since the U.S. government first introduced the FedRAMP authorization process. Since then, the program has become a widely respected indication of information security risk management and compliance, as well as a requirement for cloud service providers who work with federal agencies. It’s not easy to achieve FedRAMP authorization, and many companies — especially those new to the federal government environment — struggle with the FedRAMP requirements. From quarterly reporting, to ensuring data integrity, guaranteeing quality of service, and protecting personally identifiable information (PII), it’s a complicated and involved process.
What is FedRAMP?
The federal government created the Federal Risk and Management Program (FedRAMP) to protect federal agencies from cybersecurity risks when adopting cloud-based applications and infrastructure, such as software-as-a-service (SaaS) products. Specifically, FedRAMP determines which cloud-based products and services can be used by federal agencies, based on the products’ level of security compliance, documentation, and operational procedures.
When federal agencies review cloud-based IT solutions, they look for FedRAMP-authorized products (there are currently just over 100). It’s not absolutely mandatory, but using a FedRAMP-authorized product simplifies the acquisition process because it represents compliance with the NIST internal controls and security assessments required for issuing and Authority To Operate (ATO) and reduces the level of effort and review required of agency IT and operational staff for cloud based software products.
FedRAMP was created in response to demand from federal agencies to work with cloud services providers (CSPs). The process which vendors had to go through to demonstrate security compliance became quite hefty, and so FedRAMP standardized it, specifically through NIST Special Publication 800-53—a rigorous set of controls designed to safeguard federal information systems.
Benefits of Working With a FedRAMP-Authorized CSP
In selecting a service with a FedRAMP authorization, agencies aren’t simply meeting requirements, they’re affording their organizations many efficiency and security benefits.
- The authorization makes working with companies (such as Valimail) much more efficient and cost effective. Agencies don’t have to conduct exhaustive due diligence on our security infrastructure before inviting us to respond to a federal request for proposals (RFP), because that diligence has already been done as part of the FedRAMP process. We, like other companies which have won FedRAMP authorization for their products, have done the hard work and continue to do the hard work to maintain our status.
- Companies which have been granted FedRAMP authorization have met extremely stringent guidelines. Their product’s information security controls have been assessed and proven compliant. This demonstrates lower risk to the agency, stability, and provides peace of mind to customers.
- FedRAMP has more than 170 controls that are validated according to industry standards and best practices. In order to maintain the FedRAMP ATO, companies like Valimail invest extensive time and resources — even well after the authorization has been granted. In other words, we do the hard work again and again and again, so our federal customers don’t have to.
What it Takes to Achieve FedRAMP Authorization
There are three phases to the program, and it can take many months to complete. The first phase, preauthorization, involves three parties coming together -- a federal agency, the cloud service provider (CSP), and the FedRAMP program management office -- to get on the same page regarding timeline, requirements, responsibilities, and execution.
The second phase, the authorization process, entails a thorough review of the CSP, vetting more than 170 controls to ensure the necessary level of compliance with federal requirements. It can be a somewhat arduous time for the CSP, involving various resources, both internal and external, and is not an insignificant cost to the organization. Indeed, companies that go through this process are highly committed to being a secure cloud partner to federal agencies.
Once the FedRAMP program management office determines that the review is complete and the CSP is at an acceptable level of security, the agency submits the CSP to an official within the agency who can approve the package or send it back for remediation. Once approved, the agency issues an Agency Authority to Operate (ATO). Subsequently, after reviewing the ATO and making sure that the CSP has completed all necessary remediation measures, the FedRAMP program office then issues a FedRAMP authorization for the product.
Once a CSP receives the authorization from the FedRAMP office, their work isn’t done. Companies like Valimail follow a strict post-authorization maintenance plan in order to maintain their authorization status. This ensures federal agencies that use our product can have peace of mind knowing that it remains extremely safe and federally compliant.
All CSPs that hope to win or keep contracts with federal agencies should start wrapping their minds around FedRAMP sooner rather than later.