October 28, 2020
In 2011, as part of the U.S. government’s “Cloud First Policy,” the Office of Management and Budget initiated the Federal Risk and Management Program (FedRAMP). FedRAMP was designed to enable federal agencies to leverage the efficiency of cloud-based products and services, confident in the knowledge that the systems used are secure and reliable. FedRAMP Director Ashley Mahan stated that FedRAMP “serves an important security role. It bridges government to the private sector, enabling agencies to take advantage of modern, transformative and secure cloud products and services.”
Obtaining FedRAMP authorization is not easy – the process can take anywhere from six months to two years at a cost of several hundred thousand dollars, at a minimum. Only 200 vendors have received FedRAMP authorization as of September 2020. In 2018, TrapWire Inc. received FedRAMP authorization with sponsorship from one of our DOD clients. This designation placed us in an elite group of private companies authorized to provide secure cloud services to the federal government, helping our clients expedite their Authority to Operate approval process. However, despite this authorization, we often encounter people who have never heard of FedRAMP or are unfamiliar with what exactly “FedRAMP authorization” entails and how it benefits their organization.
FedRAMP compliance requirements are spelled out in the NIST 800-53 framework — considered the “gold standard” in cyber security requirements. Among other things, FedRAMP-authorized vendors must implement controls commensurate with the sensitivity level of its system and data; undergo annual assessments by an authorized Third Party Assessment Organization (3PAO), including internal and external network penetration testing; and implement a Continuous Monitoring program that includes monthly vulnerability scans and remediation requirements. Additionally, all employees of FedRAMP-authorized service providers must undergo rigorous cyber-security training on an annual basis.
The benefits for you: whether you are with a government organization or in the private sector, FedRAMP-authorized cloud providers offer you the peace of mind that the systems they deploy are “best in class,” meeting the strictest security requirements of the federal government. If you are with a government agency, FedRAMP authorization will reduce the administrative burden on your CIO/CTO in obtaining Authority to Operate, enabling you to leverage cutting edge technologies in a faster and more efficient manner. All your organization’s users will enjoy greater reliability and system security. And as with any cloud-based system, costs are minimized; maintenance and equipment repairs are eliminated; and system upgrades and new features are rolled-out smoothly to all users with minimal involvement required of your in-house IT staff. FedRAMP authorization may be expensive for cloud providers, but it certainly delivers significant value to their clients.