Last Updated on February 26, 2021
[et_pb_section fb_built=”1″ _builder_version=”4.9.0″ _module_preset=”default”][et_pb_row _builder_version=”4.9.0″ _module_preset=”default”][et_pb_column type=”4_4″ _builder_version=”4.9.0″ _module_preset=”default”][et_pb_text _builder_version=”4.9.0″ _module_preset=”default”]
FedRAMP is hot, and we’re seeing a big ramp-up in client inquiries about it.
Just 214 Authorizations to Operate (ATOs) have been granted under the FedRAMP program since its inception in 2011. But 61 ATOs were granted or “in process” in 2020 alone, and 30 more companies are queued up to begin the process.
Why is something with such a boring name suddenly so interesting? And who needs to be in the know?
FedRAMP is short for Federal Risk and Authorization Management Program. It’s all about ensuring the security of cloud services used by US federal government agencies. Basically, FedRAMP provides a standardized approach to security assessment/authorization and continuous monitoring for cloud products and services—anything from software as a service (SaaS) to infrastructure as a service (IaaS) to hardware as a service (HaaS).
“Federal agencies that choose to use commercial cloud services are required to use only cloud services that have gone through the FedRAMP process,” summarizes Steve. So FedRAMP applies to all agencies and organizations within the federal government, and to any and all cloud service providers (CSPs) that want to do business with them.
As an example, Steve cites the Zoom platform: “We all use Zoom being remote these days, and Zoom is a prime example where the government wanted to leverage their technology, so an agency took Zoom through the FedRAMP process, granted them an ATO, and now a number of agencies are using their service.”
Steve explains that a FedRAMP ATO is, in many ways, equivalent to a certification like ISO 27001. A federal agency that sponsors a CSP to pursue an ATO is accepting the risk of using the service.
“So coming out of a FedRAMP assessment there are findings, there are risks that the assessor identifies,” says Steve. “Those get documented and then the agency makes a decision to authorize or grant an ATO based on those results.”
If you’re a business or cybersecurity leader with a SaaS firm or other CSP that would like to provide services to the US federal government, you’ll definitely want to tune in to this podcast with Stephen Halbrook.