FedRamp- what is it and why is it relevant to my business?

Have you thought about selling your software solution to the US Government and ever wondered if there are any specific certifications that maybe required?

FedRamp stands for Federal Risk and Authorization Management Program.  The FedRamp program is a government wide program that provides a standard approach to security assessment, authorization and continuous monitoring for cloud products and services.  FedRamp was originally conceived to accelerate the adoption of cloud solutions inside of the US Government.

According to the US Office of Management and Budget “any cloud service that holds Federal data must be FedRamp authorized”. ( OMB memorandum)  Put plainly if your organization is selling cloud based software that will touch US Government data, your software solution must be FedRamp certified, no exceptions! (Even if your end customer is not the Government)

There are 3 levels of FedRamp certification which organizations can achieve, low, medium or high.  The certification level required for your specific software solution depends upon the sensitivity of the data your solution will be handling. Each certification level is associated with a number of security controls that must be in place, these controls are associated with technology, processes and policies and for the highest level of certification can number over 300 controls.

In order to achieve a FedRamp certification also known as an Authority to Operate (ATO) organizations must have a 3rd party assessment organization (3PAO) verify that all controls are in place.  Certification also requires the creation of a great deal of documentation which outlines specific policies and procedures around system and data protection along with system support.

Keep in mind that the FedRamp certification process is an ongoing process which requires and annual audit of your software solution, policies and procedures.

Achieving a FedRamp certification/ATO can be a daunting process, do your research, understand what’s involved and what you have to gain prior to embarking on the certification process.  There are organizations that can assist you throughout either providing review and assistance in specific areas or a complete turn key certification.