Organizations have an obligation to keep their online information safe, and that includes selecting software providers that can demonstrate a commitment to cyber security. While standards like ISO 27001 are well known and globally accepted, FedRAMP goes far beyond in the number of controls it involves, which can provide additional peace of mind when working with vendors who have gone through that certification process.
What is FedRAMP
Created in 2011, the Federal Risk and Authorization Management Program, or FedRAMP, was founded on a clear mission: to promote the “adoption of secure cloud services across the federal government by providing a standardized approach to security and risk assessment for cloud technologies and federal agencies.”
Prior to FedRAMP, organizations working with the government had a variety of security requirements they had to meet based on each federal agency’s individual standards. FedRAMP simplifies the process of procuring cloud software by creating a baseline that cloud service providers could be certified to in order to work with any federal agency.
Based on NIST Special Publication 800-53, FedRAMP specifies three impact levels depending on the type of data being processed:
- Low Impact: Data whose loss would have little impact on the agency; 125 controls.
- Moderate Impact: Data whose loss would have a significant impact; 325 controls.
- High Impact: Data whose loss would have severe consequences, e.g. classified data related to national defense; 420 controls.
While government organizations are required to use FedRAMP-certified cloud service providers, private sector companies with cyber security supply chain requirements like NERC CIP-13 would do well to select certified providers, as it could make those requirements easier to comply with.
FedRAMP-certified providers at a glance
Given the large number of controls, the process for a cloud service product to become FedRAMP certified isn’t an easy one. Providers must go through an extensive review process, including an assessment by a third-party assessment organization (3PAO), full security assessments and lots of reviews and sign-offs along the way.
In the first four years since the establishment of this framework, just 20 cloud service offerings were authorized by FedRAMP. By 2018, FedRAMP had authorized 100 services, and today over 200 products are eligible for use under FedRAMP.
As of November 2022, more companies were in the process of getting certified:
- 22 are Ready, meaning the product has had a third-party assessment organization deem it ready for the authorization process.
- 79 are In Process and actively working toward their authorization.
- 286 cloud service offerings are Authorized and have completed the certification process, and are approved for use by federal agencies.
Once a cloud service provider is FedRAMP certified, it is continuously monitored to ensure it meets the standard on an ongoing basis.
Why work with a FedRAMP-certified provider
If you work for a federal agency and you want to procure cloud software, you are required to use only services that are FedRAMP-certified. Yet even if you’re in the private sector, working with a FedRAMP-certified cloud provider means your data will be processed at a data center and by organizations that are continuously monitored to be in compliance with many more privacy and security controls than even ISO 27001 specifies, which could be a competitive differentiator and could help with cyber security supply chain requirements.
In addition, you’ll have the peace of mind that comes with knowing that the protection of your data is future-proofed, as FedRAMP’s security requirements are overseen by many governmental organizations, including:
- The Joint Authorization Board, the main decision-making body for FedRAMP, which includes the Chief Information Officers from the Department of Defense, the Department of Homeland Security, and the General Services Administration
- Office of Management and Budget
- Chief Information Officer Council
- National Institute for Standards and Technology
How DevonWay can help
As a leader in quality, safety and asset management software, DevonWay understands and values the importance of data security. That’s why we’ve been working diligently to move through the FedRAMP authorization process, and we expect to be certified in 2023. Once approved, our FedRAMP-certified SaaS environment will offer the same award-winning suite of services as the commercial SaaS environment.
Learn more about the benefits, timeline, and cost of our upcoming FedRAMP-certified environment in our webinar recording.
