The Federal Risk and Authorization Management Program (FedRAMP)is a government-wide program in the United States that establishes a uniform method to cloud security assessment, authorization, and continuous monitoring. It was created to help federal agencies transition from outdated, insecure legacy IT to mission-enabling, secure, and cost-effective cloud-based IT systems as quickly as possible.
FedRAMP established and oversees a basic set of processes to guarantee the government’s cloud security is effective and repeatable. FedRAMP created a mature marketplace to boost cloud service adoption and familiarity while encouraging cross-government cooperation through open sharing of lessons learned, use cases, and tactical solutions.
Cloud Service Offerings (CSOs) are classified into one of three impact levels: Low, Moderate, or High, as well as three security objectives: Confidentiality, Integrity, and Availability, under the FedRAMP program.
- Confidentiality: When it comes to information access and disclosure, there are safeguards in place to protect personal privacy and proprietary information.
- Integrity: Information is adequately protected against tampering or deletion.
- Availability: Ensuring timely and reliable access to information.
CSOs are now authorized by FedRAMP at three degrees of impact: low, moderate, and high.
- Low Impact is best for CSOs where a breach of confidentiality, integrity, or availability would have only little consequences for the agency’s operations, assets, or personnel.
- Moderate Impact systems account for almost 80% of FedRAMP-approved CSP applications and are best suited for CSOs where a loss of confidentiality, integrity, or availability would have severe consequences for an agency’s operations, assets, or personnel.
- High-impact data is typically noticed in law enforcement and emergency response systems, financial systems, health-care systems, and any other system where a breach of confidentiality, integrity, or availability could have a severe or catastrophic impact on organizational operations, assets, or individuals. FedRAMP created a High Baseline to account for the government’s most sensitive, unclassified data in cloud computing environments, such as material involving the protection of life and financial disaster.
As of July 2020, the Marketplace had almost 200 authorized FedRAMP cloud services, with many more in the process of being approved. While the FedRAMP program was created to help federal agencies, Gartner reports that state and local governments, tribal and non-US governments, corporations in regulated industries and the military industry, as well as non-profit and educational groups, are all showing interest in it.
FedRAMP began as a well-intentioned effort to help government agencies embrace cloud technologies. Opinions have been varied, as they have been with most comparable initiatives. Pros and cons have surfaced for security and risk management (SRM) leaders considering whether a FedRAMP approach is suitable for them, according to a recent Gartner research note
These are to consider:
- FedRAMP standards have unified baselines and created a common language for cloud security controls
- FedRAMP security controls map to other frameworks such as NIST, HIPAA, and PCI-DSS
- FedRAMP security controls help non-federal clouds
- The FedRAMP Project Management Office (PMO) is listening and communicating
- The number of Cloud Service Providers (CSPs) seeking authorization is growing
- Gaining FedRAMP authorization is a long and expensive process for CSPs
- The increased costs are often passed on to FedRAMP clients
- FedRAMP authorized solutions are not cleanly accepted across agencies
- Only cloud vendors with an interest in the federal market are making the investment
- FedRAMP can create a false sense of security in buyers
In 2018, OneStream Software earned the Federal Risk and Authorization Management Program (FedRAMP) Moderate authorization, which it believes to be a critical qualification for federal agencies looking for secure cloud solutions that satisfy federal requirements. OneStream was the first cloud corporate performance management (CPM) service to obtain FedRAMP Moderate approval.
OneStream underwent an expensive and time-consuming 18-month review process with the FedRAMP PMO to obtain FedRAMP Moderate Authorization, and the PMO continues to audit verify OneStream is still adhering to FedRAMP requirements. OneStream has not passed on the expenses of this procedure to clients as part of pricing; rather, regard it as a cost of doing business with government agencies and those who adhere to the standard.