Marion Square provides both consulting and technical services to assist organizations in achieving their FedRamp certification.  In doing so we are often asked about the differences between FedRamp and FISMA certifications. The document below outlines both Government standards and highlights not only key differences but also similarities.

FedRamp- Federal Risk and Authorization Management Program- is a Government wide program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud service providers.  FedRamp authorization is only granted for cloud based service offerings, NOT on-premises solutions. (FedRamp has been called the FISMA of the cloud)

A FedRamp certification or Authority to Operate (ATO) is granted by a certified 3rd Party Assessment Organization (3PAO) not an individual Federal agency.  The certification/ATO can be utilized government wide meaning, that once you achieve FedRamp certification for one agency the certification will be valid for all other Federal Government agencies.  This is more commonly known as a “one to many” approach to certification. (As you will note this is a key difference between FedRamp and FISMA)

FISMA- Federal Information Security Management Act- is a United States legislation that defines a comprehensive framework to protect Government information, operations and assets. Unlike FedRamp which assigns the certification to a 3PAO the individual agencies are responsible for interpreting the law and granting the FISMA certification/ATO.  With that an organization’s FISMA certification granted by one Federal agency can not be utilized with a different Federal agency, known as a “one to one” approach to certification meaning that for each Federal agency the organizations will need to go through a completely separate FISMA certification process.

Both FedRamp and FISMA are based on the NIST 800-53 set of security controls and leverage the same categorization of Low, Medium and High however, the number of controls required differs with FedRamp requiring more security controls than FISMA.

In conclusion both FedRamp and FISMA are based on the same set of security controls the NIST 800-53.  FedRamp which is focused on cloud based solutions requires additional controls when compared with FISMA.  FISMA certification is agency specific while FedRamp is a Government wide initiative.