June 12, 2019

    Understanding the Basics of FedRAMP Compliance

    The Federal Risk and Authorization Management Program (FedRAMP) essentially is a standardized approach to securing online cloud platforms. It’s important to understand what have a thorough understanding of FedRAMP basics to ensure the cloud service providers you choose to work with are following the appropriate laws and regulations.

    Below are the answers to some key questions regarding FedRAMP compliance. Find out how compliance with these guidelines can be beneficial for cloud service providers and the organizations that partner with them.

    What is FedRAMP?

    The Federal Risk and Authorization Management Program (FedRAMP) is a set of data security guidelines established in 2011 with a direct focus on cloud-based products and services. FedRAMP was created by the Joint Authorization Board (JAB) with representatives from the Department of Homeland Security (DHS), the General Services Administration (GSA), and the Department of Defense (DoD).

    Because the cloud has transformed the way many companies use data information systems, it’s vital to have a specific set of guidelines to address new and emerging data security concerns. FedRAMP utilizes a “do once, use many times” framework, meaning once you have the appropriate security controls in place, you can use repeatable security assessment processes to ensure your controls are operating up to FedRAMP standards. This repeatable approach to data security enables companies to cut costs and minimize the amount of resources invested in data security. As companies shift from old IT systems to new cloud-based ones, FedRAMP guidelines can help mitigate risk and ensures alignment with U.S. government-approved standards.

    How Does FedRAMP Work?

    Cloud service providers offer federal agencies a number of benefits like the convenience of accessing data from anywhere and the cost-savings of not needed to invest in expensive physical equipment. However, agencies still need to ensure high data security standards are met before partnering with a cloud service provider.

    FedRAMP makes it possible for cloud service providers to obtain a Provisional Authorization after passing a third-party security assessment that’s been review by the JAB. If a cloud service provider has their Provisional Authorization, government agencies can feel confident that their partnership will not put sensitive data at risk.

    FedRAMP vs. FISMA

    FedRAMP and FISMA (Federal Information Security Management Act) are two closely related sets of data security guidelines. Cloud service providers may be required to align with one of both of these policies. The best way to sum up to the connection between these two policies is that FedRAMP clarifies how FISMA can be applied to cloud services. To ensure your business or the cloud service provider you’re working with is meeting the appropriate compliance standards, you should learn more about the differences and similarities between FISMA and FedRAMP.

    How FISMA and FedRAMP are Similar

    The ultimate goal of both FISMA and FedRAMP is to ensure government data is protected. The control families recommended in the two policies are similar, as both use the NIST SP 800-53 security controls to outline how data should be protected.

    How FISMA and FedRAMP are Different

    Though both FISMA and FedRAMP focus on the protection of government data, they apply to two different areas of data protection. FISMA makes recommendations on government agencies can protect data, and FedRAMP makes data security recommendations for protecting data when using cloud-based information systems.

    The easiest way to differentiate between the two is to think of FedRAMP as the cloud version of FISMA. There are a number of unique elements of cloud computing that aren’t covered in FISMA guidelines, so it’s important that these guidelines are met by cloud providers in partnership with government agencies.

    What is FedRAMP Compliance, and Who Should Comply?

    FedRAMP compliance requires a little more work than simply aligning with guidelines. Meeting FedRAMP standards is only the first step. Cloud service providers and the companies that use them must demonstrate FedRAMP compliance by obtaining one of two authorizations: a FedRAMP authorization or FedRAMP Authority to Operate (ATO). The first and easiest option is to obtain a FedRAMP ATO from a federal agency. The more difficult option is to pursue a FedRAMP P-ATO from the JAB.

    Which companies should be concerned with FedRAMP compliance? Any cloud service provider that has contracts with federal agencies or wants to pursue these types of business partnerships in the future should obtain a JABP-ATO or an ATO. This requires cloud service providers to have the necessary security controls in place, continuously monitor those controls to ensure they’re effective and earn their authorization. However, compliance can be beneficial for cloud service providers who don’t currently have plans to partner with federal agencies in the future, and for companies in the private sector concerned with data security, as well.

    Why Should You Comply with FedRAMP?

    While FedRAMP is mandatory for cloud service providers working with federal agencies, compliance can be beneficial for companies and cloud service providers working in the private sector, as well. Elective FedRAMP compliance demonstrates that you are dedicated to the highest data security standards. It also offers transparency into the different security controls you use a daily basis and the assessment process for keeping your security controls operating properly.

    Also, using FedRAMP guidelines in your business can help you feel confident that your data is protected. You can mitigate the risk of data compromises, and if an incident does occur, you will know what steps to take to contain it.

    Using a cloud service provider with FedRAMP compliance controls in place can also be beneficial. When you use a cloud service provider with built-in compliance measures, you can be rest assured that your company can meet compliance that is dependent on FedRAMP controls, such as ITAR and DFARS.

    If you’re considering a partnership with a cloud service provider, make sure to choose one with the appropriate FedRAMP compliance measures in place. This will ensure you have the needed levels of data protection in place, and will help you mitigate the risk of a breach.


    Find out more about the needed security controls to comply with ITAR standards. Get your free ITAR compliance guide now.

    Tag(s): Government

    Martin Horan

    Martin, Sharetru's Founder, brings deep expertise in secure file transfer and IT, driving market niche success through quality IT services.

    Other posts you might be interested in

    View All Posts