Almost every time you use a computer – or any other device connected to the Internet – you rely on some kind of cloud-based service or data storage provider. That creates huge ease of use and convenience. But that convenience comes with concerns about data security.
For government agencies using cloud-based services, data breaches can impact everything from citizen safety to national security. For those trusted with our most important and personal data, security is a very big deal.
That’s why the U.S. government requires all cloud services used by federal agencies to meet a meticulous set of security standards known as FedRAMP.
So: What is FedRAMP, and what does it entail? You’re in the right place to find out
Bonus: Read the step-by-step social media strategy guide with pro tips on how to grow your social media presence.
What is FedRAMP?
FedRAMP stands for the “Federal Risk and Authorization Management Program.” It’s a set of regulations that standardizes cloud products and services used by U.S. federal agencies through:
security assessment
authorization
monitoring
The goal is to protect federal data in the cloud.
Getting FedRAMP authorization is serious business. The FedRAMP Authorization Act was signed into law in December 2022. It was part of the FY23 National Defense Authorization Act.
There are 27 applicable laws and regulations involved in FedRAMP. Plus another 26 standards and guidance documents. It’s one of the most rigorous cloud service certifications in the world.
FedRAMP has been around since 2011. That’s when cloud technologies really began to replace outdated tethered software solutions. It was born from the U.S. government’s “Cloud First” strategy. That strategy required agencies to look at cloud-based solutions as a first choice.
Before FedRAMP, cloud service providers had to prepare an authorization package for each agency they wanted to work with. The requirements were not consistent, and there was a lot of duplicate effort for both providers and agencies. FedRAMP introduced consistency and streamlined the process.
Now, FedRAMP requirements and evaluations are standardized. And other government agencies can reuse the provider’s initial FedRAMP authorization security package.
At first, FedRAMP uptake was slow. FedRAMP only authorized 20 cloud service offerings in its first four years. But the pace has picked up since 2021. There are now 317 FedRAMP authorized cloud service offerings. (Spoiler: Hootsuite is one of them!)
Source: FedRAMP
FedRAMP is controlled by the FedRAMP Board. The board members are the Chief Information Officers of:
the Department of Homeland Security
the General Services Administration, and
the Department of Defense.
Why is a FedRAMP certification important?
All cloud services holding federal data must have FedRAMP authorization. If you want to work with the federal government, FedRAMP authorization is an important part of your security plan.
FedRAMP ensures consistency in the security of the government’s cloud services. Further, it ensures consistency in evaluating and monitoring that security. It provides one set of standards for all government agencies and all cloud providers.
FedRAMP lists cloud service providers that are FedRAMP authorized in the FedRAMP Marketplace. This marketplace is where government agencies go to source a new cloud-based solution. It’s much easier for an agency to use a product that’s already authorized than to start the process with a new vendor.
So, a listing in the FedRAMP marketplace makes you much more likely to get more business from government agencies. But it can also improve your profile in the private sector.
That’s because the FedRAMP marketplace is visible to the public. Any private sector company can scroll through the list of FedRAMP authorized solutions. It’s a great resource when they’re looking to source a secure cloud product or service.
FedRAMP authorization can make any client more confident about a provider’s security protocols. It represents an ongoing commitment to meeting the highest security standards.
FedRAMP authorization boosts your security credibility beyond the FedRAMP Marketplace, too. You can share your FedRAMP authorization on social media and on your website.
The truth is that most of your clients probably don’t know what FedRAMP is. They don’t care whether you’re authorized or not. But for those large clients who do understand FedRAMP requirements – in both the public and private sectors – lack of authorization may be a deal-breaker.
#1 Social Media Tool for Government
Engage citizens with the only tool that makes it easy to communicate, deliver services, and manage crises.
What does it take to be FedRAMP certified?
There are two different ways to become FedRAMP authorized. Both methods have three main stages:
Preparation
Authorization
Monitoring
1. Joint Authorization Board (JAB) Provisional Authority to Operate
The FedRAMP Board, acting as the JAB, prioritizes approximately 12 cloud service offerings per year through a process called FedRAMP Connect. They announce the selection timeframes throughout the year on the FedRAMP blog.
Here’s a visual overview of the JAB process:
Source: FedRAMP
If you want to work with the JAB, start by reviewing the JAB Prioritization Criteria and Guidance document.
2. Agency Authority to Operate
In this process, the cloud services provider establishes a relationship with a specific federal agency. That agency stays involved throughout the process. If the process is successful, the agency issues an Authority to Operate.
Source: FedRAMP
If you want to pursue agency authorization, the recommended first step is to partner with a recognized third-party assessment organization to create a Readiness Assessment Report. You can find a list of recognized assessors in the FedRAMP Marketplace.
Next, you need to formalize your relationship with a government agency. They will be your partner throughout the FedRAMP certification process. When you’re ready, begin the process by completing a Cloud Services Provider Information Form.
Preparing for FedRAMP Authorization
The process of achieving FedRAMP authorization can be tough. But it’s in the best interest of everyone involved for cloud service providers to succeed once they start the authorization process.
To help, FedRAMP interviewed several small businesses and start-ups about lessons learned during authorization. Here are their seven best tips for successfully navigating the authorization process:
Understand how your product maps to FedRAMP – including a gap analysis.
Get organizational buy-in and commitment – including from the executive team and technical teams.
Find an agency partner – one that is using your product or is committed to doing so.
Spend time accurately defining your boundary. That includes:
internal components
connections to external services, and
the flow of information and metadata.
Think of FedRAMP as a continuous program, rather than a project with start and end dates. Services must be continuously monitored and updated.
Carefully consider your authorization approach. Multiple products may require multiple authorizations.
Use the FedRAMP Project Management Office (PMO) as a resource. They can answer technical questions and help you plan your strategy.
FedRAMP also offers templates to help cloud service providers prepare for FedRAMP compliance.
Free Course for Government Agencies
Take this free 45-minute course and become an expert in government social media. Learn how to save time, connect with constituents, and build a compliant social strategy.
How do you stay FedRAMP compliant?
To stay FedRAMP compliant, you first need to understand the different impact levels and baselines.
FedRAMP offers three impact levels for services with different kinds of risk. They’re based on the potential impacts of a security breach in three different areas.
Confidentiality: Protections for privacy and proprietary information.
Integrity: Protections against modification or destruction of information.
Availability: Timely and reliable access to data.
The impact levels are:
High, based on 410 controls. “The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.” This usually applies to law enforcement, emergency services, financial, and health systems.
Moderate, based on 323 controls. “The loss of confidentiality, integrity, and availability would result in serious adverse effect on an agency’s operations, assets, or individuals.”
Low, based on 156 controls. “The loss of confidentiality, integrity, and availability would result in limited adverse effect on an agency’s operations, assets, or individuals.”
There’s an additional option called FedRAMP Tailored. It’s based on the same 156 controls as the Low impact level. However, the requisite number of security controls to be tested and verified is lower. The provider only has to focus on the relevant requirements. It’s for “Low-Impact software as a service (SaaS) applications that do not store personal identifiable information (PII) beyond what is generally required for login capability (i.e. username, password, and email address).” It’s also known as LI-SaaS.
The FedRAMP Joint Authorization Board recently approved new baselines (Rev. 5) to correspond with Special Publication (SP) 800-53 Rev. 5 Catalog of Security and Privacy Controls for Information Systems and Organizations and SP 800-53B Control Baselines for Information Systems and Organizations. These are both publications from the National Institute of Standards and Technology (NIST).
The transition strategy to Rev. 5 went into effect on May 30, 2023. All cloud service providers should now have started the transition process.
Source: FedRAMP Baselines Rev 5 Transition Guide
Keep in mind that achieving FedRAMP compliance is not a one-off task. Remember the Monitoring stage of FedRAMP authorization? That means you’ll need to submit regular security and vulnerability assessments and reports to ensure you stay FedRAMP compliant.
You’ll also need to stay aware of FedRAMP updates, like the recent transition to Rev. 5. You might also need to undergo additional assessments when baselines change.
Examples of FedRAMP-certified products
There are many types of FedRAMP-authorized products and services. Here are a few examples from cloud service providers you know and may already use yourself.
Hootsuite
Hootsuite is an officially FedRAMP-authorized social media management dashboard. Several major government agencies use Hootsuite to achieve a range of federal objectives.
the US Department of the Interior
the Department of Education
the General Services Administration
Source: FedRAMP Marketplace
For example, note the Ow.ly shortened link in this post from the General Services Administration. This indicates the Tweet was sent securely through Hootsuite:
The #InflationReductionAct was signed a year ago & @USGSA has started to put its $3.4B towards greening the nation’s federal footprint. Let’s #LeadOnClimate & get to net-zero
: https://t.co/KZG9c3yrm3 pic.twitter.com/gxCzgcNww9
— GSA (@USGSA) August 31, 2023
Read more about how Hootsuite is the #1 trusted social media management tool for government agencies. Or book a free, no-pressure demo.
Amazon Web Services
There are two AWS listings in the FedRAMP Marketplace. AWS GovCloud is authorized at the High level. AWS US East/West is authorized at the Moderate level.
New! AWS Security Hub achieves FedRAMP High authorization to enable security posture management for high-impact workloads. https://t.co/6MWHmuhRTc pic.twitter.com/cWxMNpELEc
— AWS for Government (@AWS_Gov) April 5, 2021
AWS GovCloud has 49 authorizations and a whopping 718 reuse ATOs. AWS US East/West has 59 authorizations and 633 reuse ATOs. That’s far more than any other listing in the FedRAMP Marketplace.
Google Workspace
Google Workspace was authorized in 2021 through the JAB Authorization Process at the High Level. It has 14 authorizations and 284 reuse ATOs.
We’re proud to announce #GoogleWorkspace has earned FedRAMP High authorization and key @GoogleCloudTech services are now IL4 authorized. Learn more about how we’re supporting the security and compliance needs of our customers at the #GoogleGovEduSummit ↓ https://t.co/HdiH1Xg9ov
— Google Workspace (@GoogleWorkspace) November 3, 2021
Adobe Analytics
Adobe Analytics was authorized in 2019. It is used by the Centers for Disease Control and Prevention and is authorized at the LI-SaaS level.
Adobe actually has several products authorized at the LI-SaaS level. (Like Adobe Campaign and Adobe Document Cloud.) They also have a couple of products authorized at the Moderate level:
Adobe Connect Managed Services
Adobe Experience Manager Managed Services.
Adobe Acrobat Sign for Government
Remember that it’s the service, not the service provider, that gets authorization. Like Adobe, you might have to pursue multiple authorizations if you offer more than one cloud-based solution.
Slack
Authorized in May 2020, Slack has 11 FedRAMP authorizations and 142 reuse ATOs. The product is authorized at the Moderate level. It’s used by agencies including:
the Cybersecruity & Infrastructure Security Agency
the Federal Trade Commission
the United States Census Bureau
Slack originally received FedRAMP Tailored authorization. Then, they pursued Moderate authorization by partnering with the Department of Veterans Affairs.
Slack calls attention to the security benefits of this authorization for private sector clients:
“This latest authorization translates to a more secure experience for Slack customers, including private-sector businesses that don’t require a FedRAMP-authorized environment. All customers using Slack’s commercial offerings can benefit from the heightened security measures required to achieve FedRAMP certification.”
Zendesk
Authorized in May 2020, Zendesk is used by agencies including:
the Federal Communications Commission
the Federal Reserve System
the General Services Administration.
The Zendesk Customer Support and Help Desk Platform has Li-Saas authorization.
Zoom
Zoom achieved Moderate authorization in July 2023 through the JAB Authorization Process. It has 43 authorizations and 42 reuse ATOs.
Some of the agencies currently using Zoom are:
The Centers for Disease Control and Prevention
The Department of Agriculture
The Department of State
The U.S. Marine Corps
To gain FedRAMP authorization, Zoom created a specific offering called the Zoom for Government Platform that is operated only by U.S. persons. Specifically, “the Zoom for Government platform leverages the U.S.-based AWS GovCloud infrastructure and U.S.-based co-located data centers.”
FedRAMP for social media management
Hootsuite is FedRAMP authorized. Government agencies can now easily work with the global leader in social media management to engage with citizens, manage crisis communications, and deliver services and information via social media.
See why Hootsuite is the #1 social media tool for government. Engage citizens, manage crises, and reduce risk online.
The post What Is FedRAMP, and Why Is It So Important? appeared first on Social Media Marketing & Management Dashboard.