The Federal Risk and Authorization Management Program (FedRAMP) is a standardized approach to security assessment authorization and continuous monitoring for Cloud Service Offerings (CSOs). The approach is standardized in accordance with the Federal Information Security Modernization Act (FISMA), Office of Management and Budget (OMB) Circular A-130, and FedRAMP policy. For Software-as-a-Service (SaaS) providers, FedRAMP authorization is one of the most sought-after certifications in the world.
FedRAMP has provided several benefits. One is the increase of the adoption of secure cloud solutions through reuse of assessments and authorizations.
It empowers federal agencies to use modern cloud technologies, with emphasis of security and protection of federal information. The governing bodies of FedRAMP include the Office of Management and Budget (OMB), US General Services Administration (GSA), US Department of Homeland Security (DHS), US Department of Defense (DoD), National Institutes of Standards & Technology (NIST), and the Federal Chief Information Officers (CIO) Council.
It is a government-wide program that is need-to-know information for a Cloud Services Provider (CSP) that wants to provide their CSOs to the federal government. It is important because it is mandatory for all US federal government agencies and all cloud services.
A Cloud Service Offering can be authorized by successfully completing the FedRAMP authorization process. This can be done either via an individual federal agency or Joint Authorization Board (JAB).
When choosing the individual agency authorization path, the CSP is reviewed by a customer agency CIO or Delegated Authorizing Official to achieve a FedRAMP-compliant ATO that is verified by the FedRAMP Program Management Office (PMO). If successful, the CSP’s CSO would receive a JAB Provisional Authority to Operate (P-ATO).
If choosing the JAB path, the CSP is assessed by a FedRAMP-accredited third party assessment organization (3PAO). If successful, the CSP’s CSO would receive an Agency Authority to Operate (A-ATO).
CSOs are categorized into one of the three impact levels: low, moderate, and high; and across three security objectives. Federal Information Processing Standards (FIPS) 199 provides the standards for categorizing information and information systems, which is what CSPs use to ensure their services meet the minimum security requirements.
At the top level, FedRAMP high impact data is usually in Law Enforcment and Emergency Services systems, Financial Systems, Health Systems, or any other system where loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organization operations, organizational assets, or individuals. This baseline was introduced to account for a government agency’s most sensitive unclassified data in cloud computing environments, including data that involves the protection of life and financial ruin. FedRAMP moderate impact level is for serious adverse effects, and the FedRAMP low impact level is for limited adverse effects.
One of the ways FedRAMP compliance for a CSO can be validated is by looking it up in the FedRAMP Marketplace. An example of how the FedRAMP compliance program is leveraged is by the DoD to meet DoD Cloud Computing Guide Impact Levels.
AWS is a FedRAMP Leader
A CSP that is a leader in attaining security and compliance certifications is Amazon Web Services (AWS). One of the recent services to be authorized for both FedRAMP moderate and FedRAMP high levels is its omnichannel cloud contact center service, Amazon Connect (10/2022).
Not long before this announcement, there was another (2/2022) of over a dozen additional AWS services authorized. This announcement included AWS’ intelligent search service powered by machine learning, AWS Kendra.
This or any other service can be verified by AWS’ “services in scope” page for FedRAMP. You will see it is just one service of the dozens of services that are already authorized in either the AWS East/West (US) Regions under FedRAMP moderate impact level authorization or the AWS GovCloud (US) Regions under FedRAMP high impact level authorization or both.