make a good business better

Blog Information Security

Print Divider Print Divider Branding

Why FedRAMP Certification Matters

07/08/2015  |  By: Sese Bennett, CISSP, CISM, QSA, ITIL, HITRUST CSF, Senior Manager, Information Security


Social Logo Social Logo Social Logo Social Logo

The Federal Risk and Authorization Management Program, or FedRAMP as it's known, is a government-wide program created to standardize how the Federal Information Security Management Act (FISMA) is applied to cloud computing services.

First launched in 2012, FedRAMP is a follow-up to the government's "Cloud First" strategy. The federal government spends billions of dollars every year securing products and services in the cloud.

If your company works with the federal government in the cloud, or plans on expanding into that market, we recommend you initiate the FedRAMP certification process. Here are a few of the benefits:

  • Optimizing existing security assessment controls across agencies
  • Saving money, time and resources
  • Improving real-time security visibility
  • Providing a uniform approach to risk-based management
  • Enhancing transparency between the federal government and CSPs
  • Cultivating trustworthiness, reliability, consistency and quality for the federal security authorization process

The Office of Management and Budgets states that agencies must, "use FedRAMP when conducting risk assessments, security authorizations, and granting Authority To Operate (ATOs) for all Executive department or agency use of cloud services". Companies that plan on doing business with the federal government in the cloud, or plan to expand their reach to include federal customers, should understand FedRAMP requirements and be FedRAMP compliant to flourish in the years ahead.

Certification Is Good for Your Bottom Line

While beginning the FedRAMP certification process is a requirement for all companies supporting federal agencies with cloud services, it also makes good business sense. Competition for federal cloud computing contracts will inevitably get fiercer as more agencies migrate to the cloud, and that means that there are a lot of dollars at stake.

A September 2014 Government Accountability Office report of cloud spending for seven agencies found that, collectively, cloud computing investments accounted for $529 million, or 2 percent of their $80 billion IT budget. Cloud spending for the entire federal government, represents about 5 percent of all IT spending, or $3 billion, according to IDC Government Insights.

Federal Spending on Cloud Computer 2012 2014
And while $3 billion isn't chump change, that number will grow exponentially. Former Federal CIO, Vivek Kundra estimated that agencies had identified $20 billion worth of IT investments in their fiscal 2012 budgets that could move to the cloud. DHS identified nearly $2.5 billion of its own IT investments that could be appropriated for a cloud environment. FedRAMP certification affords your company access to a very profitable playing field.

Better Security, Lower Risk

FedRAMP plays a pivotal role in providing businesses and agencies with lower risk and better security controls by:

  1. Providing joint security assessments and authorizations based on a standardized baseline set of security controls
  2. Using approved Third Party Assessment Organizations(3PAOs) to consistently evaluate a Cloud Service Provider's ability to meet the security controls
  3. Requiring continuous monitoring as an on-going security control

Implementing these security controls helps give the federal government more confidence conducting business in the cloud — and gives your company peace of mind that data will remain safe and secure.

Finally, FedRAMP certification makes it much easier for you to comply with FISMA requirements, since it necessitates the implementation of NIST-based controls for your cloud system or service.

When Should Companies Begin the Certification Process?

The real answer is the sooner the better. While it is possible to procure a federal contract prior to receiving your FedRAMP ATO, it can be very challenging, if not impossible to fast track and secure certification within the required timeframe because the process is so time-consuming. The entire process can take anywhere from six to 18 months to complete. If the government requires a 95-day turnaround period after granting an organization a contract, that puts substantial pressure on Cloud Service Providers (CSPs). On average, the typical FedRAMP certification takes about 12 months – which makes it nearly impossible for an organization to win a contract, and then go after certification within a 95-day period.

Clearly if your organization wants to procure federal cloud work today, putting off certification until "tomorrow" is not a good strategy. Now is the time to pursue FedRAMP certification. At the very least, you should begin laying the groundwork for certification by preparing the necessary documentation required to gain authorization.

To learn more about FedRAMP Certification, download a free copy of our upcoming guide below, Grow Your Business With FedRAMP Certification. On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter at @lbmcsecurity.


Posted in: FedRAMP