The Importance of FedRAMP Authorization to Government Contractors
This means enormous opportunity for organizations developing applications in the cloud that are interested in the government sector. First, though, they need to achieve Federal Risk and Authorization Management Program (FedRAMP) authorization for their solution. Any cloud service that holds federal data—including personally identifiable information (PII), protected health information (PHI), payment card industry (PCI) information, and controlled unclassified information (CUI)—must be FedRAMP authorized. FedRAMP authorization assures federal agencies that the solution adheres to Federal Information Security Management Act (FISMA) and National Institute of Standards and Technology (NIST) Special Publication 800-53 data privacy and security standards. And it checks that box for the agency: they get a pre-vetted contractor that meets federal security standards; the contractor does all the work to obtain and then maintain the status.
History of FedRAMP
The first nudge in the push to modernize the federal government’s IT capabilities toward the cloud was the aptly named Cloud First initiative, released by the Office of Management and Budget in 2011. Cloud First stated that the government had to move to the cloud, but it didn’t include specifics on how to do so. FedRAMP, released in 2011, was designed to provide the federal government with a cost-effective and risk-based approach to adopting and using cloud services, with an emphasis on security and protecting federal information.
The 2019 Federal Cloud Computing Strategy—Cloud Smart—built on Cloud First. It focused on three interrelated areas to drive governmental cloud services adoption: security, procurement, and workforce. FedRAMP is included as a major element of the security strategy area, providing a standardized, government-wide approach to security assessment and continuous monitoring of cloud services. And in 2022, the FedRAMP Authorization Act was passed. It served to codify FedRAMP to provide a “standardized, reusable approach to security assessment and authorization for cloud computing products and services that process unclassified federal information.”[1] Other goals for the Act included reducing costs and burdens for cloud providers working to obtain FedRAMP authorization, improving the speed for authorization, and driving the adoption of secure cloud capabilities to create jobs and reduce the use of end-of-life information technology.
Advantages to Becoming FedRAMP Authorized
With the teeth of the FedRAMP Authorization Act behind it, achieving FedRAMP authorization opens the door to cloud service contracts across the federal government. It is a rigorous process that companies should be prepared for in terms of time and resources, both financial and personnel. They are also required to work with a FedRAMP-authorized third-party assessment organization (3PAO) that helps them put together their security package. The FedRAMP Project Management Office (PMO) guides the process with a range of templates and checklists and reviews the Readiness Assessment Report the 3PAO submits.[2]
But it is well worth the effort. After the contractor achieves the authorization to use their cloud service with one federal agency—called their sponsor—any federal agency can reuse their security package—a process referred to as “do once, use many.” And FedRAMP lists authorized vendors on the FedRAMP Marketplace, a searchable database that agencies across the government can use to find vendors according to service offering: IaaS, PaaS, and SaaS.
What is StateRAMP?
Rolled out in January 2021, StateRAMP is a nonprofit organization based on FedRAMP in that it’s built on NIST SP 800-53 and does basically the same thing for participating state and local governments: offer assurance that government-selected third-party cloud vendors that process, store, and/or transmit government data meet and maintain the government’s published cybersecurity policies.
StateRAMP benefits member state and local governments by providing a common method and standard to help guide their cloud security verification requirements and process. This also benefits contractors working with different state governments—they need only meet this common StateRAMP standard rather than deal with a patchwork of different state requirements: what StateRAMP calls a “do once, serve many” approach.
StateRAMP also requires contractors to be assessed by FedRAMP-authorized 3PAOs and to undergo continuous monitoring and annual certifications. Contractors that are FedRAMP-authorized are fast-tracked to StateRAMP authorization.
There are several differences between FedRAMP and StateRAMP, but the main one is, vendors selling their services in the cloud wanting to do business with state and local governments are currently not required to have StateRAMP authorization. However, more states are starting to mandate it, and many states make it a prerequisite for selecting their preferred vendors.
The process of obtaining FedRAMP and/or StateRAMP authorization is not for the faint of heart. But companies that achieve it will likely find it to be a business differentiator. It can both open the door wide to government contracts and help them gain a competitive edge in the private sector. It’s the ultimate seal of security approval.
[1] “Overview,” https://www.fedramp.gov/program-basics/
[2] Part 2 in this blog services will cover the steps in the FedRAMP process in more detail. For more information on the process, see The CSP Authorization Playbook.