The Federal Risk and Authorization Management Program, FedRAMP is a risk assessment framework. According to FedRAMP website, it is :
"a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.”
What are the benefits of FedRAMP?
Before FedRAMP, every federal government agency conducted its own assessment and had its own risk management approach. This lead to duplication of effort and long delays every time an agency wanted to use a cloud-based service. With FedRAMP, if a cloud service provider (CSP) is FedRAMP authorized to operate (ATO), it can be used by several agencies to host their data. Since each agency does not need to carry out its own full-fledged assessment, it can result in huge cost and time savings.
As a result, several CSPs, many of who we cover in our different marketplaces, are in different stages of complying with FedRAMP. Some like Box and Acquia are already FedRAMP authorized, while others like SpringCM are in the process. The whole process can be quite involved and can take as much as 18 months to complete. But once a CSP undertakes this effort, it not only becomes eligible to host data for federal agencies but also becomes more secure. As of writing this, FedRAMP site shows 80 authorized, 63 in-process and 10 ready for FedRAMP. You should check the site regularly to see which specific vendors are compliant. The table below shows some of the vendors from our different marketplaces along with some additional attributes.
Fig: Example CSPs and different FedRAMP attributes
A CSP can offer different service models. These can be Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or Software as a Service (SaaS). A CSP can also offer multiple models, for example when a SaaS provider builds its stack on top of an IaaS and PaaS layers and does not differentiate between layers.
In terms of deployment models, all common options such as Private Cloud, Public Cloud, Hybrid Cloud and Government Community Cloud are available.
The CSPs are also authorized for specific impact levels. There are three impact levels: Low, Moderate and High. You will see mot CSPs authorized for moderate impact levels.
Criticisms of FedRAMP
There are several issues with FedRAMP, many of which inhibit its adoption. The FedRAMP process is very time consuming and expensive. Thus, while the big CSPs can invest time and money, not everyone can. There are numerous startups there, especially in the areas of IoT, mobile and social. Many of them provide useful functionality at low cost but they can’t afford the costs associated with FedRAMP process. Consequently, the ecosystem is becoming an exclusive club of select CSPs who can afford enough time and resources and keeps smaller service providers out of that. This not only reduces options available to agencies but also discourages agility and innovation.
Any CSPs that have invested in getting authorized would obviously want to get a return on that investment. That could result in increased pricing, plus keeping a cozy walled garden works in their favour.
If you are a federal agency, you are going to have to go with FedRAMP authorized CSPs. This can actually be good for you because you don’t have to waste your own resources in doing assessment and evaluations. You will also get a more secure environment. However, the problem arises if you need a cloud service that is not FedRAMP compliant. This could be for several types of services – such as publicly available SaaS services or small CSPs that can’t afford to be authorized. There are a couple of things you could consider. If the service you need is available as an application that can run on the cloud, you can then use it as a one-off instance that you can yourself manage in a FedRAMP authorized hosting such as AWS or Azure. This is useful, for example, if you want to deploy a cloud service of your favorite WCM package but the vendor is not FedRAMP certified for their cloud offering. There are also cloud service providers that are offering traditional products on their FedRAMP authorized cloud. If none of this works for you, then you will need to work with potential vendors for compliance.
If you are a non-compliant CSP, then there are a lot of factors to consider in order to decide whether or not you want to go for FedRAMP authorization. It’s a long and expensive process and the key decision criteria would be if the returns are worth the pain. But if the Government is your customer or you want to expand your footprint in Federal agencies then you should invest to get FedRAMP compliant. This will open many more doors for you, especially in federal agencies. In addition, this could also improve your offering itself which will help you with your non-federal customers also,
If you are a non-federal government organization, remember that most FedRAMP authorized CSPs have a dedicated offering for federal agencies. They do not, as yet, have similar level for assessments and controls for their regular commercial offerings. So you might not get any immediate benefits. However, you can still use many of these practices for your own security assessments and keep demanding the same of your CSP.