Looking for tools and technologies to help protect your government agency or public sector organization from cybercriminals can be intimidating. Luckily, the Federal Risk and Authorization Management Program (FedRAMP) has made the selection process more manageable. Government organizations can use the FedRAMP marketplace to find and compare credible and secure authorized vendors.
What Is FedRAMP Authorization? Why Is It Important?
The Federal Risk and Authorization Management Program (FedRAMP) was created by the U.S. government to achieve a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services.
According to the Market Connections FedRAMP Survey Results Report, 91% of federal agency respondents and 93% of state and local respondents said they have systems and solutions in the cloud. FedRAMP helps promote the adoption of cloud computing by government agencies through setting clear standards and processes for security authorizations. A cloud service provider (CSP) undergoes a rigorous authorization process for a particular cloud service offering (CSO) so that it can be listed in the FedRAMP marketplace. This reassures federal agencies, state and local governments and other public sector organizations that the service meets FedRAMP requirements.
In fact, 95% of federal respondents and 97% of state and local respondents saw benefits, beyond adhering to mandates, from moving to a FedRAMP Authorized solution. Some benefits include long-term cost savings and acceleration to broader cloud adoption.
How to Get FedRAMP Authorized
There are currently two approaches to getting FedRAMP authorization: Joint Authorization Board (JAB) or an agency authorization.
Option 1: Getting FedRAMP Authorization Through the JAB Process
The JAB process is only available to 12 CSOs per year. FedRAMP Connect is the process by which CSPs are evaluated based on the JAB Prioritization Criteria and prioritized to work with the JAB. To qualify, these CSPs must demonstrate government-wide demand. If selected and successful, the CSP receives provisional Authority to Operate (P-ATO).
- Preparation — The CSP undergoes preparation for the authorization process. The business makes adjustments to meet federal security requirements and prepares the security deliverables required for authorization. A third-party assessment organization (3PAO) also performs an independent audit of the CSP’s system.
- Authorization — The JAB reviews the CSP’s security package and issues a P-ATO for the cloud offering.
- Continuous Monitoring — All CSPs must complete an annual assessment and provide specific security deliverables to agency customers, including the results of monthly vulnerability scans, incident reporting and deviation, and requests for significant changes to the CSO.
Option 2: Getting FedRAMP Authorization Through an Agency
Authority to Operate (ATO) can also be obtained through an agency. This is when agencies work directly with the CSP to gain approval. Despite not working with the JAB, the authorization process is quite similar.
- Preparation — As mentioned above, the CSP prepares for the authorization process. During the pre-authorization phase, the CSP partners with an agency via the requirements outlined in FedRAMP Marketplace: Designations for Cloud Service Providers.
- Authorization — An agency conducts a security package review, performs risk analysis, accepts risk and issues an ATO. These security packages are available within the secure FedRAMP repository for agencies to review, perform a risk analysis and reuse.
- Continuous Monitoring — After authorization, CSPs must provide specific security deliverables to all agency customers, including an annual security assessment, a monthly plan of action and milestones (POA&M), vulnerability scan results, incident reports and requests for significant changes to the CSO.
Visit fedramp.gov for more information on the authorization process.
Why Choose a FedRAMP Authorized Password Management Tool
Federal agencies are required to use FedRAMP-certified CSOs. However, choosing a FedRAMP-certified password management solution such as Keeper Security Government Cloud is also beneficial for other public sector organizations, as well as private-sector organizations. Companies that have completed the rigorous FedRAMP authorization process have proven their commitment to maintaining the highest standards of cybersecurity.
Understanding the FedRAMP Marketplace
The FedRAMP Marketplace makes it easy for federal agencies to find FedRAMP Authorized cloud service offerings (CSOs).
Users looking for FedRAMP Authorized cloud services can explore the marketplace through the search bar. All services in the process of becoming authorized will appear on the list. There are three statuses shown in the marketplace:
- Ready — Indicates that a Third Party Assessment Organization (3PAO) attests to a cloud service provider’s readiness for the authorization process. The CSP has attained a Readiness Assessment Report (RAR) that has been reviewed and approved by the FedRAMP Program Management Office (PMO).
- In Process — A designation provided to a CSP actively working toward a FedRAMP Authorization via JAB or a federal agency.
- Authorized — Indicates that the CSO has completed the process and successfully meets the security requirements with JAB or a federal agency.
Choosing Keeper Security Government Cloud
Keeper’s password and secrets management platform is FedRAMP Authorized and available in the AWS GovCloud. Our zero-knowledge and zero-trust architecture means your team’s information is safe and secure—at every level. Keeper implements the highest levels of secure encryption. Our internal practices are frequently audited by third parties so that we can continue to develop secure software and provide the most secure cybersecurity platform.
Frequently Asked Questions
How long does FedRAMP Authorization take?
FedRAMP certification varies depending on the CSP’s path and agency.
In 2016, the government wanted to create a faster timeline for FedRAMP certification. According to FedRAMP Accelerated: A Case Study for Change Within Government, any CSP undergoing the JAB process should receive a decision within six months of the start of the process.
However, this aspirational case study is not the reality for CSPs undergoing the FedRAMP certification process. Currently, FedRAMP authorization continues to take years to complete.
How much does it cost to get FedRAMP Authorized?
Several variables affect the cost of FedRAMP certification since CSPs must cover the costs of:
- Consulting services to develop a FedRAMP ATO package
- Assessment by a Third Party Assessment Organization (3PAO)
- Costs associated with meeting control requirements
- Post-ATO costs for continuous reporting and annual assessments
Is FedRAMP based on NIST Standards and Guidelines?
FedRAMP draws from several NIST Special Publication (SP) documents, including NIST SP 800-53 for system controls and NIST SP 800-37 for risk management.