Estimated reading time: 2 minutes, 41 seconds

How to Obtain FedRAMP Approval for Government Cloud Services Featured

How to Obtain FedRAMP Approval for Government Cloud Services "This is a 44 image HDR panoramic image of the Capitol building. \r\nThis has been downsampled to 4k width so that it\u2019s not stupidly large.\r\n\r\nI\u2019m playing around with HDR panoramas at the moment and this one turned out pretty well."

Taking advantage of the benefits of cloud computing is not restricted to organizations operating in the private sector. In the United States, local, state, and federal governments make extensive use of public cloud resources. As is customary for all types of government contracts, some assessments and approvals must be obtained before the offerings of a cloud service provider (CSP) can be used by specific agencies. Government contracts can be very lucrative and service providers who want a piece of the business need to demonstrate that their products meet all requirements surrounding security and functionality.

All CSPs that wish to do business with the U.S. federal government need to be assessed and approved by the Federal Risk and Authorization Management Program (FedRAMP). The program’s goal is to protect the data of U.S. citizens when it is in the cloud and is the most rigorous security framework in use by the government. 

FedRAMP was created to address the problem of different and potentially conflicting requirements for each agency working with cloud providers. FedRAMP provides standard security baselines and processes that simplify the process of obtaining cloud services for both providers and government agencies. Once a CSP achieves FedRAMP approval for an offering, it is listed in the FedRAMP Marketplace to gain visibility across the government.

Navigating the FedRAMP Authorization Process

CSPs that want authorization to provide services to federal agencies need to follow a process comprised of three complementary phases.

In the pre-authorization phase, CSPs should complete FedRAMP training which includes modules that define the baseline security plan. Education can be accessed via online courses, webinars, or in-person training events. A request from the CSP will result in a consultation with government subject matter experts set up by the FedRAMP Program Management Office (PMO). To successfully get through this phase of the authorization process, a CSP needs to: 

  • Document agency interest in their offering and establish partnerships with agency customers.
  • Establish a partnership with an approved third-party assessment organization. 
  • Ensure that the service implements the required security controls.

During authorization, a CSP is responsible for developing a package that includes the completion of the System Security Plan. The plan is then assessed by the third-party assessment organization and findings are presented to the CSP for remediation. When all risks have been successfully addressed, the CSP attains authorization and status as a FedRAMP authorized vendor.

In the post-authorization phase of the process, the CSP is required to provide monthly monitoring deliverables to the agency using its service. Failure to provide these documents can result in the service losing its authorization.

The purpose of FedRAMP is to eliminate any confusion regarding the ability of individual agencies to use cloud services. By publishing authorized services on the FedRAMP Marketplace, the authorization process only needs to be done once for each offering. Once approved, it can be used with confidence by any federal agency that wants to use the service. 

This appears to be an example of government working efficiently by reducing the duplicate work that would ensue from individual agencies or departments authorizing CSPs. In a subsequent post, we will take a closer look at the FedRAMP Marketplace and the agencies that use its authorized services. 

Read 246 times
Rate this item
(0 votes)
 Robert Agar

I am a freelance writer who graduated from Pace University in New York with a Computer Science degree in 1992. Over the course of a long IT career I have worked for a number of large service providers in a variety of roles revolving around data storage and protection. I currently reside in northeastern Pennsylvania where I write from my home office.

Visit other PMG Sites:

click me
PMG360 is committed to protecting the privacy of the personal data we collect from our subscribers/agents/customers/exhibitors and sponsors. On May 25th, the European's GDPR policy will be enforced. Nothing is changing about your current settings or how your information is processed, however, we have made a few changes. We have updated our Privacy Policy and Cookie Policy to make it easier for you to understand what information we collect, how and why we collect it.