It stands for Federal Risk and Authorization Management Program. But, is it a good thing or a bad thing? It’s absolutely a good thing. And why is that?
Basically, FedRAMP keeps the data of federal agencies safe while CSPs (cloud service providers) are in use. In a world where the cloud is being used on a regular basis, it’s important to have safety protocols intact to protect all of our information.
If you want to be able to provide cloud services to the American government, then FedRAMP applies to you. We’ve spoken to organizations that when they’ve even shown they are even in process on the FedRAMP marketplace their market capitalization goes up. That means, if you want your business to have a larger piece of the pie, then absolutely FedRAMP applies to you as a Canadian organization.
There’s a lot that a provider must go through in order to get FedRAMP certified. And it’s for good reason. The jeopardization of an entire country’s critical data is at stake. When it comes to getting certified, there are 2 options. They can either take the Joint Authorization Board (JAB) route, or the Agency Authority to Operate (ATO) route.
Option 1: JAB Provisional Authorization
The Joint Authorization Board is one way of providing the FedRAMP certification. This includes representatives from 3 big departments, including the Department of Defense, the General Services Administration, and the Department of Homeland Security.
Only 3 service providers are allowed in any given quarter. Before a CSP is given allowance, though, it must first give proof that a huge demand has been called to their services by many agencies. This vetting process knocks many contenders from being given an allowance. Once proof has been verified, a thorough search is given to the CSP. Security is the primary concern, so this aspect is the one that is ventured into the most.
The entire application ends with a huge Question & Answer session. FedRAMP authorization is then either granted or denied.
Option 2: Agency Authority To Operate
So, how about the CSPs that don’t have many agencies chasing after their services? What if only a handful of agencies wish to use the services? This comes into consideration under this option of certification.
The basis of certification comes as-needed, meaning that the CSP will need to formalize their operations for a single government agency. How about the System Security Plan (SSP) of the CSP? Will it be adequate for the services provided? This is up to the individual agency to decide. Of course, a Security Assessment Plan (SAP) will need to be utilized firsthand. A third-party assessment organization will need to be available in the analyzation as well. These third-parties are chosen by the government to test FedRAMP compliance.
Choosing The Right Option
If a CSP offers services that can be used by many different agencies, then option 1 (JAB) is the best choice. For those providers who seem to have a “niche” offering for a specific agency, option 2 (ATO) will work out the best. Regardless of the chosen option, certification is extremely rigorous. FedRAMP-certified providers are going to be top-notch when it comes to the security of a nation’s citizens.
When everything is laid on the line, FedRAMP offers peace of mind when choosing a cloud service provider. A CSP with this certification has walked through the fire to become a solid choice for any agency with a value for security.