make a good business better

Blog Information Security

Print Divider Print Divider Branding

Exploring FedRAMP Certification: What to Consider

06/03/2015  |  By: Sese Bennett, CISSP, CISM, QSA, ITIL, HITRUST CSF, Senior Manager, Information Security


Social Logo Social Logo Social Logo Social Logo

If you work with the federal government or are a federal agency then you’ve likely heard of the Federal Risk and Authorization Management Program (FedRAMP).

FedRAMP was established in 2012 as a follow-up of the government’s ‘Cloud First’ Policy. This government-wide program was conceived to reduce the time and money that individual agencies spend on assessing a cloud provider’s security. Prior to FedRAMP, each agency conducted its own assessment for each procured cloud service, which led to multiple and redundant security assessments for identical services. FedRAMP was designed for companies providing cloud services (CSPs) at the Federal Information Security Management Act (FISMA) low- and moderate-impact levels and provides a standardized set of security requirements that CSPs must adopt in order to be eligible to host government data. As of June 2014, if your organization is currently supporting federal customers as a CSP, FedRAMP compliance is mandatory.

If you’re a CSP that has a federal government customer, and you are not FedRAMP compliant as of now, you should be aware that this means you are in non-compliance with the GSA rules for cloud service providers. There are no provisions for legacy applications to be grandfathered in without a FedRAMP certification.

Does FedRAMP Apply to My Company?

At first blush, ‘Cloud Service Provider’ appears to be a clear enough descriptor, so you might not see the need to check for consensus on who meets that definition according to FedRAMP. It’s clear enough that if any of your product lines are sold in the cloud, this term applies to you. But, not everyone knows that even if only a tiny part of your product or services are in the cloud, you are also considered a CSP and must be FedRAMP certified.

Benefits of FedRAMP Certification

We’ve discussed that companies who sell products in the cloud, or offer cloud services that host federal data, require FedRAMP certification. If you are a legacy provider who has not yet become FedRAMP certified, you should fast track your certification in order to participate in new RFPs, RFQs and RFIs for cloud services.

What you might not realize is there are also benefits for FedRAMP certification for CSPs in the private sector.

Because FedRAMP has set such a robust security standard, even companies that don’t do business with the federal government have come to realize that being able to tout a FedRAMP certification offers a significant business advantage. Why? Because it demonstrates your company has taken the initiative to comply with the most stringent set of cloud security requirements yet developed. And if you have chosen to implement FedRAMP requirements as your baseline set of security controls, being able to satisfy individual customer security frameworks will likely require less effort.

Additional advantages of FedRAMP are that it increases re-use of existing security assessments across agencies, saves time and resources, improves real-time security visibility, and enhances transparency between government and CSPs. Also worth mentioning — you’ll benefit from built-in processes for continuously monitoring, measuring, reporting and improving on security process.

Do Once, Use Many

Once your company is issued a FedRAMP Authority To Operate (ATO), it is possible to be used for each new federal agency customer that you work with. Conversely, FISMA does not follow the ‘do once, use many’ model, so if you offer a hosted, non-cloud solution, then it’s more likely that you’ll need to go through the FISMA ATO process for each new customer or contract.

Tips for Selecting a Third Party Assessment Organization (3PAO)

Who you choose to work with is critical. Here are a few tips to consider.

NIST & FISMA: You’ll want a FedRAMP 3PAO with experience with the NIST SP 800-53 rev4 controls. (This is important because FedRAMP and FISMA are based on that series of NIST controls.) If a 3PAO has deep experience with FISMA, your process should be much more efficient as the auditor will be able to leverage some of your prior FISMA security documentation and not have to start at zero.

Cloud Savvy: Providers with experience in cloud computing and architecture will also be more familiar with the controls that need to be implemented to keep their data secure than companies who are not as experienced in cloud technology. Along with having a detailed knowledge of FISMA requirements, the 3PAO will also have the added layer of the FedRAMP certification process and everything that entails. 

Risk-Based Approach & Practical: The best 3PAO is one that is able to balance a risk-based approach to security assessment, and provide guidance on what are the most practical, cost-effective strategies to reach compliance. At the end of the day, the 3PAO has to understand business risks and the first priority for companies is to stay in business.

Weighing the Investment

For those companies that decide to become FedRAMP certified, they should be aware that the 400-page application is lengthy and the process is time-consuming. How well you have documented your company’s security plans and processes will directly affect how long this process takes and the related cost.

If your main customer base is the federal government and you want to grow that part of their business, or you want to add federal clients as customers, your company will want to become FedRAMP certified to be able to compete, and win lucrative government contracts.

Once you become FedRAMP certified, it should follow that your company will gain new federal customers — allowing you to recoup your cost outlay over time. Some CSP’s will see that return on investment quickly, given the size of many federal contract RFPs.

Private sector companies can also gain a competitive advantage by adopting FedRAMP security baseline requirements that can translate into more business won and gained assurance in the marketplace.

It’s true the certification process carries with it a significant cost and time investment. But with the right FedRAMP-certified 3PAO guiding you, your firm can move through the certification process efficiently. And with your ATO in hand, your company should be able to see that investment paid back many times over.

To learn more about FedRAMP Certification, download a free copy of our guide below, Grow Your Business With FedRAMP Certification. On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter at @lbmcsecurity.


Posted in: FedRAMP