FedRAMP guidance helps cloud service providers qualify
The Federal Risk Assessment and Management Program (FedRAMP) took an important step earlier this year in helping providers of Cloud Service Offerings (CSOs) achieve authorization and enabling government agencies to assess vendors’ progress along that path.
In June 2019, the FedRAMP Project Management Office (PMO) issued new marketplace guidance that lays out a clear path across the three marketplace designations: FedRAMP Ready, FedRAMP In Process, and FedRAMP Authorized. “With over 250,000 visits annually, the Marketplace is a valuable source of real-time information for our customers,” the PMO said in a release. “We want to ensure the information about each CSO is established in easy-to-understand guidance.”
Agencies Are Asking
The release lays out a simple reason for the PMO to clarify the steps in the process: It was one of the most frequently asked questions the office was getting.
With more than 220 industry partners taking part, “the Marketplace serves as a searchable and sortable database of Cloud Service Offerings (CSOs), aiding Agencies in the process of researching and identifying secure cloud capabilities that are available for government-wide use,” the release stated. “We receive thousands of questions through email@example.com, and one of the most popular topics is the FedRAMP Marketplace and which cloud capabilities are FedRAMP Ready, In Process, or Authorized.”
So FedRAMP decided to clear things up, with a single, one-stop guidance document that consolidates and supersedes past instructions to agencies and vendors. Its key features include:
- A clear explanation of the process for achieving and maintaining the three designations;
- Specific guidance on how a vendor working with component agencies of the Department of Defense can earn an In Process designation;
- Tips and guidance on handling changings in an agency’s Authorizing Official.
Three Steps to Certification
The guidance document presents details of each of the three designations.
- Under FedRAMP Ready, a CSO at the Moderate or High impact level receives a Readiness Assessment Report that attests to its security capabilities, and documents is compliance with federal mandates and ability to meet FedRAMP requirements. The report is valid for one calendar year once it’s accepted by the FedRAMP PMO, and can be extended for one year if necessary.
- FedRAMP In Process means a company “is actively working toward a FedRAMP Authorization” with the program’s Joint Authorization Board (JAB) or a single federal agency. The new guidance explains the steps and requirements for achieving In Process designation, including specific requirements from the Department of Defense.
- The coveted FedRAMP Authorized designation indicates a provider that has met all the program’s security requirements.
One Less Headache
With extreme rigor and attention to detail baked into every stage of the authorization process, FedRAMP helps relieve one of the biggest headaches facing IT professionals and project managers at every level of government.
Cybersecurity is a constant, daunting challenge for every agency, regardless of its size, mandate, or security level. The problem isn’t going away anytime soon—the rule of thumb is that, if you think your system is too secure to be hacked, that thought process is the first hint that the organization is at risk.
With would-be intruders becoming ever more creative and resourceful, one of the first steps in keeping up with the threat is to know who to trust for the software, professional guidance, and results your agency needs. FedRAMP relieves that stress by providing a single, standard reference point for assessing more than 200 vendors, offering a wide menu of cloud-based products and services.
Learn about Infor Government SaaS—integrated FedRAMP-compliant applications and platforms.
- Security & Compliance
- Aerospace & Defense
- Facilities Management
- Federal Government
- High Tech & Electronics
- Industrial Manufacturing
- Public Sector
- State and Local Government