Federal Risk and Authorization Management Program (FedRAMP) compliance is a rigorous government certification to find trusted cloud service products.
Whether you’re a developer looking to achieve FedRAMP authorization for your brand or a government agency searching for trusted applications, you’ve come to the right place.
Below, we’ll walk you through everything you need to know about FedRAMP compliance, including what it is, why it matters, and how to achieve it.
What is FedRAMP compliance?
FedRAMP, or Federal Risk and Authorization Management Program, is a US federal government program with a standardized approach to data security, authorization, and monitoring for cloud service offerings (CSOs) and products.
The government wants to ensure federal agencies use the right tools to mitigate risk and data leaks—this is how they’ve made it happen.
The FedRAMP standard was initiated by the Office of Management and Budget (OMB) in 2012 after the Cloud First Policy (now renamed as Cloud Smart Strategy).
Currently, the FedRAMP program is governed by the Joint Authorization Board (JAB), which includes Chief Information Officers (CIOs) from the following:
- General Services Administration (GSA)
- Department of Defense (DoD)
- Department of Homeland Security (DHS)
CSOs certified by FedRAMP have gone through a rigorous testing and monitoring process. (You can see services that are FedRAMP-compliant on the FedRAMP marketplace. The marketplace makes it easier for various government agencies to find suitable CSOs without authorization.)
The marketplace lists all FedRAMP-compliant cloud providers, including Valimail. If you’re looking for a DMARC-as-a-service guaranteed by FedRAMP, our solution is authorized for government use under the GSA FedRAMP program. We have the reliability and security needed to support federal, local, and state government organizations.
Why is FedRAMP important?
FedRAMP authorization isn’t something to take lightly.
It’s one of the most rigorous authorization certifications to go through as a cloud-based platform or business with cloud service offerings. According to the mandate, federal agencies default to cloud-based solutions whenever possible.
While cloud-based solutions will improve the operational efficiency of an organization, it also introduces cloud security risks that the public sector simply can’t afford. For instance, a data breach of a government agency could result in a loss of trust from citizens, major financial loss, and even a danger to national security.
Ultimately, FedRAMP provides a standardized approach to verify the security of cloud services handling federal data effectively and cost-effectively.
But besides improving your credibility and security as a cloud service provider, FedRAMP provides the additional following benefits:
- Increased consistency in the security of cloud solutions against National Institutes of Standards & Technology (NIST) and FISMA-defined standards.
- Improved transparency and trust between the US government and cloud providers.
- Automation and real-time monitoring to simplify the authorization process.
- Expedited/speedy adoption of cloud-based solutions.
- Secure cloud solutions through the reuse of assessments and authorizations.
How to become FedRAMP compliant
These two paths are for cloud products with low, moderate, and high impact levels.
There are two ways to achieve FedRAMP compliance:
- JAB authorization
- Agency authorization
Before anything else, you need to determine which path you’ll take.
The JAB route is limited to approximately 12 CSOs per year. If your CSO is something that you think will be broadly used by all government agencies, it’s possible that you can go through this route.
Unlike the JAB route, there’s no specific schedule for the agency route. You can go through this route if you have an agency to partner with that will use your services.
Although there are two different paths, the core processes remain the same. After selecting the path you’d like to take, there are three more steps you need to go through to achieve authorization to operate (ATO):
- Preparation
- Authorization
- Continuous monitoring
Let’s take an in-depth look at the two different pathways and their respective FedRAMP processes below.
Note: Other than the two main paths you’ll see here, there’s also tailored authorization for low-impact SaaS providers that are much simpler than the agency and JAB authorization processes. (The process for tailored authorization is much simpler, as it’s designed mainly for project management tools and other very low-impact solutions.)
FedRAMP processes for compliance
JAB process for FedRAMP compliance
The JAB authorization process prioritizes CSOs likely to be used government-wide (for example, cloud computing platforms like AWS or Google Workspace). In this case, the ATO is issued by JAB, but agencies still need to issue their own ATO to work with you.
In the preparation stage, there are three steps to go through:
- FedRAMP Connect: JAB only authorizes 12 CSOs each year, so you’ll need to go through FedRAMP Connect, which is a process that identifies which CSOs will undergo the assessment process.
- A readiness assessment: Cloud service providers (CSP) also have to achieve a FedRAMP Ready status, which they can get by working with an accredited Third Party Assessment Organization (3PAO) for a Readiness Assessment.
- A full security assessment: The CSP will have to work closely with an accredited 3PAO and turn in several documents as a security authorization package.
Finally, the CSP and assessor from the 3PAO will have to work with JAB to complete the authorization process. This stage entails a review of the CSO’s system architecture, security capabilities, risk posture, as well as the security authorization package submitted during the preparation stage.
After completing the review and addressing issues, you’ll finally attain your Provisional Authority to Operate.
The final step is the continuous monitoring program, where you’ll need to turn in monthly monitoring deliverables and undergo an annual assessment to ensure your CSO is still safe to use.
Agency process for FedRAMP compliance
The agency authorization allows CSOs to partner with specific agencies to attain an ATO for that particular agency. This process is often used for CSOs with a niche use case.
Unlike JAB authorization, you can undergo agency authorization if you have an agency to collaborate with to complete the process.
Instead of FedRAMPConnect, the agency preparation is a two-step process that starts with a readiness assessment and ends with pre-authorization. Additionally, the readiness assessment is optional in this route.
Pre-authorization is a step to formalize the connection between the CSP and the agency it’s working with. This is also the time to prepare the security deliverables and fix the security requirements needed to achieve FedRAMP.
To start the authorization process, the CSP will collaborate with a 3PAO to go through a full security assessment and create the security authorization package, similar to the documents created during a JAB authorization.
In the final step of the authorization process, the agency will review the security authorization package submitted by the CSP and publish an ATO letter if the CSP passed the review.
To register for the FedRAMP marketplace, the CSP and 3PAO will then submit the required documents and the ATO letter from the agency to be reviewed by the FedRAMP Project Management Office.
Requirements for FedRAMP compliance
Here are the requirements for FedRAMP compliance at a high level:
- Fulfill the security controls outlined in NIST 800-53 and supplemented by the FedRAMP Program Management Office.
- Implementation of controls that comply with FIPS 199 categorization.
- Completion of various FedRAMP documentation, including the System Security Plan (SSP) and a Plan of Action and Milestones (POA&M).
- Assessment by an accredited Third Party Assessment Organization (3PAO) to complete the security authorization package documents and assist in the authorization process.
- Obtain Joint Authorization Board (JAB) Provisional ATO (P-ATO) or Agency ATO.
- Implement a Continuous Monitoring (ConMon) program, including monthly vulnerability scans and an annual assessment.
For more information, FedRAMP provides templates for documents you have to submit, training, resources, and other resource materials for small businesses and startups.
Valimail: Compliance and security all-around
If you still need to set up DMARC and are looking for a platform that’s guaranteed to be secure, Valimail is the only provider with FedRAMP Compliance accreditation.
Contact us today if you’re looking for a quick and simple way to DMARC enforcement. We can help you assess what you need to achieve DMARC enforcement to attain FedRAMP accreditation quicker.