Beginner's Guide to GSA & the New Consolidated MAS Contract | View the Guide Here


What is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) is a government program managed by the General Services Administration. It was designed to provide a standardized system for assessing, authorizing, and continuously monitoring cloud products and services.  If you are a Cloud Service Provider and want to do business with the Federal Government, then you need to meet the FedRAMP requirements. Once you have met their requirements, you will be able to provide cloud services to any and all federal agencies.

What are the benefits of FedRAMP?

The government wants more people to use cloud services because it allows agencies to save time, money, and increase overall efficiency by using a “do once, use many times” structure. Before FedRAMP, every agency was responsible for interpreting their own individual security assessments, which created more work for vendors because they had to constantly modify their Assessment and Authorization packages. With FedRAMP, you are able to bypass these duplicative efforts because there is only one unified baseline.

FedRAMP also offers reduced cyber-security threats to vendors because it allows government agencies to detect cyber security vulnerabilities at a much faster rate due to the interagency approach.

How do I become a FedRAMP approved CSP?

Before beginning the application process for FedRAMP, you should review the Security Assessment Framework and Guide to Understanding FedRAMP.

Once the CSP has reviewed the documents, complete the application form and put into action any FedRAMP security controls that are not currently implemented. You must also complete a FIPS 199 Worksheet to document the security controls within the system. Please keep in mind, it is vital that you accurately document the changes made within the cloud system and how they meet FedRAMP security controls to be approved.

Next, perform an independent system assessment to ensure all implementations of FedRAMP security controls are properly in place. It is recommended that CSPs who wish to meet FedRAMP requirements, work with a Third Party Assessment Agency (3PAO) with which they have pre-existing contracts.

Lastly, create and submit an authorization package and provide continuous monitoring reports and updates to FedRAMP.

How long will it take to achieve FedRAMP Authorization?

Assuming the CSP has implemented the controls and completed related documentation, the following timeframe will apply:

  • A FedRAMP JAB P-ATO assessment takes about 7-9 months to complete.
  • An agency ATO can take anywhere from 4-6 months to complete.
  • A CSP supplied package can likely be completed in 2-3 months

Additional Points: