We recently discussed the three unique paths to receiving a FedRAMP provisional authority to operate (P-ATO) and how to determine which type of FedRAMP P-ATO’d cloud platform is right for an agency’s applications. We determined that an agency should select the P-ATO’d cloud platform that is capable of meeting the agency’s security control requirements or is flexible enough to layer the agency’s security controls on top of the base infrastructure. But for a lot of you, that may be putting the cart before the horse. So, let’s take a step back and talk about the basics.
What is FedRAMP?
The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach for cloud products and services. The goal is to accelerate the adoption of secure cloud solutions for government agencies, increase the security of cloud solutions, achieve consistent security across all government agencies, and increase automation and continuous monitoring.
Why do we need FedRAMP?
The key benefits of FedRAMP stem from what it calls its “do once, use many times framework.” This framework includes standardized processes for security assessments that leverage the initial P-ATO as well as a path for ongoing assessment and authorization. Having a uniform approach to cloud computing significantly decreases the cost, time, and resources that go into architecting a cloud solution while increasing security and creating consistent standards across all government agencies. This means agencies can update their IT infrastructure to better serve and protect the data of its constituents in an efficient, cost-effective way.
What does this mean for government agencies?
While FedRAMP provides the framework, agencies are still responsible for selecting a cloud service provider (CSP) that has a P-ATO and meets all FedRAMP requirements. The agency is also responsible for taking a comprehensive inventory of cloud services, developing an effective cloud strategy, and annually reporting on all cloud services in its infrastructure. This can be a daunting task and it’s imperative agencies select a CSP that not only meets FedRAMP requirements, but also has a comprehensive understanding of the entire FedRAMP process and the resources on hand to continually support an agency.
What should government agencies look for in a CSP?
As government adoption of cloud computing resources continues to accelerate, quality CSPs can help agencies remain focused on the details to maximize the value and minimize the risk of their cloud adoption strategies. It is important to note, however, that each agency is unique and many have their own more robust, refined cloud security requirements. At the same time, not all CSPs are created equal. This is why partnering with a CSP that is flexible enough to layer the agency’s specific security controls on top of the base FedRAMP infrastructure is so important. Agencies will want to find a CSP that is supported by a dedicated team of experienced, certified professionals, who take the time to gain specific knowledge about an agency’s individual needs and unique security objectives.