February 26, 2021

Last Updated on January 13, 2024

FedRAMP is hot, and we’re seeing a big ramp-up in client inquiries about it.

Just 214 Authorizations to Operate (ATOs) have been granted under the FedRAMP program since its inception in 2011. But 61 ATOs were granted or “in process” in 2020 alone, and 30 more companies are queued up to begin the process.

Why is something with such a boring name suddenly so interesting? And who needs to be in the know?

To learn what FedRAMP is all about, we invited Stephen Halbrook, Partner and government compliance lead at Schellman & Co., to join a recent episode of The Virtual CISO Podcast.

FedRAMP is short for Federal Risk and Authorization Management Program. It’s all about ensuring the security of cloud services used by US federal government agencies. Basically, FedRAMP provides a standardized approach to security assessment/authorization and continuous monitoring for cloud products and services—anything from software as a service (SaaS) to infrastructure as a service (IaaS) to hardware as a service (HaaS).

“Federal agencies that choose to use commercial cloud services are required to use only cloud services that have gone through the FedRAMP process,” summarizes Steve. So FedRAMP applies to all agencies and organizations within the federal government, and to any and all cloud service providers (CSPs) that want to do business with them.

As an example, Steve cites the Zoom platform: “We all use Zoom being remote these days, and Zoom is a prime example where the government wanted to leverage their technology, so an agency took Zoom through the FedRAMP process, granted them an ATO, and now a number of agencies are using their service.”

Steve explains that a FedRAMP ATO is, in many ways, equivalent to a certification like ISO 27001. A federal agency that sponsors a CSP to pursue an ATO is accepting the risk of using the service.

“So coming out of a FedRAMP assessment there are findings, there are risks that the assessor identifies,” says Steve. “Those get documented and then the agency makes a decision to authorize or grant an ATO based on those results.”

If you’re a business or cybersecurity leader with a SaaS firm or other CSP that would like to provide services to the US federal government, you’ll definitely want to tune in to this podcast with Stephen Halbrook.

To listen to the full episode, click here. If you don’t use Apple Podcasts, you’ll find all our podcast episodes here.