ERM Blog

FedRAMP Compliance - What You Should Know…In 5 Minutes!

Do you know what FedRAMP is?  Do you know that it affects you if you’re providing pretty much any cloud-based product or service?  Do you think you need to comply with FedRAMP only if you want to do business with the Federal Government?  Do you know how your competitors in the cloud space are using FedRAMP to their advantage? If any of these questions affects you, read on.

FedRAMP In Short

You’re busy and don’t have time to spend researching and understanding the Federal Risk and Authorization Management Program (FedRAMP).  Perfect! Read on.

A quick and dirty way to understand FedRAMP is to think of it as the Federal Information Security Management Act (FISMA) of cloud computing.  The Federal Government began purchasing cloud-based products and services as an early adopter but soon realized that the onus of information security and due diligence needs to be pinned back on the cloud provider and not borne by any of its agencies.  So, they devised FedRAMP on the operationally successful FISMA model and required that a cloud service provider (including sellers of both cloud-based products and services) undergo an independent audit by a certified Third Party Assessment Organization (3PAO) and apply for an Authority To Operate (ATO).

So, FedRAMP is not really a “regulation” or a “certification” as much as it is an “authorization”.  A cloud service provider can apply for this authorization either itself or a Federal agency can apply on its behalf.  The authorization decision is taken by the Joint Authorization Board (JAB) which, at the top, includes CIOs of the Department of Defense (DoD), the Department of Homeland Security (DHS), and the General Services Administration (GSA).

Bottom line for cloud service providers – if you want to do business with the Federal Government, getting a FedRAMP ATO is inevitable. 

Cloud Service Provider…Nope, not us!

One of the most misunderstood phrases in relation to FedRAMP is the term “Cloud Service Provider”.  If you were to directly interpret it as it sounds, you’d probably be excused for thinking that if you’re selling a cloud-based product, or if only a teensy-weensy part of the product is “out there in the cloud”, or if you’re actually a service provider but offer a cloud-based product as a small part of your service, then you don’t fit the definition of a Cloud Service Provider.  The fact is – if any of those apply to you then you too are a Cloud Service Provider.

I don’t care…I don’t do business with the Federal Government!

Firstly, why not? It’s worth pointing out that the Federal Government is actually a market worth exploring with reports estimating that the U.S. Federal Government cloud computing market is set to grow at about 16% CAGR over 2013-2018 to hit $10 Billion by 2018!

But you’re right – technically, you have no need to go through the process of obtaining a FedRAMP ATO if you don’t intend to do business with the Federal Government.  But we’re not talking only about the ATO here.

An interesting thing about FedRAMP is the way it has gathered momentum around the U.S.  FedRAMP was what you could call the “first mover” in terms of regulating and creating a foundational security standard for “what a secure cloud should be like”.  This first-mover advantage has enabled FedRAMP to gain significant importance even in the private sector.

Cloud Service Providers have started looking at FedRAMP as a way to add credibility to their cloud-based offerings.  The fact that FedRAMP is popular, well-known, and heavily discussed, helps these companies gain leverage by adding a unique FedRAMP tag to them.  It’s almost the equivalent of saying – “We didn’t have to comply with FedRAMP, but we decided to anyway”.  And note that there’s no real need to actually obtain the FedRAMP ATO at this point; it’s just complying with the baseline set by FedRAMP to have the ability to offer equivalent security in your cloud to your customers who would expect the highest levels of security.  No ATO, no 3PAO audit.

It’s also important to note that FedRAMP currently has the most stringent requirements in terms of cloud security today.  So, to choose FedRAMP as the baseline for your cloud would be a wise thing to do because then you can easily comply with specific customer security requirements or other frameworks that customers may require your cloud to comply with. 

FedRAMP Baseline Implementation and Audit

If you’re on your way to adding the FedRAMP tag to your cloud offering, ensure that you interpret the requirements of the FedRAMP baseline controls accurately and adequately.  While the controls may appear open-ended, it is important to know where to draw the line on the scope or it can end up being a black hole for your budget.  On the other hand, if you interpret it lightly, it could end up giving you a false sense of compliance with the baseline.

A critical success factor in implementing the FedRAMP baseline is to have a mock audit or a preparedness audit.  Having an independent and experienced set of eyes perform an audit of the implemented controls will save you a lot of pain and effort when (or if) you have the final 3PAO audit.

With the momentum behind FedRAMP, it could well go on to become a commoditized requirement of sorts.  FedRAMP could be the next business driver.