De-Mystifying FedRAMP

April 11, 2017

Link.  Image

If you work in—or anywhere near—government IT, chances are you’ve heard the term FedRAMP a few times in the last year or two.  Or more likely, you’ve heard the term a few dozen times…this month.  FedRAMP is quickly becoming a buzzword among public sector professionals, particularly those in highly technical or security-centric roles.  In this post, we’re going to try to pull back the curtain and explain, in layman’s terms, what FedRAMP means and why it’s so important.

What is FedRAMP?

FedRAMP (Federal Risk and Authorization Management Program) is a government-wide program that acts as a standardized model for security assessment, authorization and continuous monitoring for cloud-based IT products and services.  In other words, FedRAMP is a government-sanctioned stamp of approval indicating that a cloud service provider has met a specific set of stringent cybersecurity and performance benchmarks.  When a government agency selects a FedRAMP certified (or FedRAMPed) partner, they benefit from the highest possible levels of data protection but also from significant cost savings across the entire enterprise.  Working with a FedRAMPed cloud solution can cut costs by 30-40% and save staff time and energy by eliminating redundant security assessments.  When you see that a potential service provider is FedRAMPed, you can rest assured that they’re serious about keeping your data safe. 
 

Why Does it Matter?

Considering the nature of the work and the senstive information so often involved, it goes without saying that cybersecurity is vital to everday government operations.  It’s also true that faster processing speeds, increased computing elasticity and on-demand cloud-based solutions are becoming more and more attractive to government agencies.  Cybersecurity experts at the NSA, DoD, GSA and in the private sector agree that this migration toward the cloud will continue to grow expontentially in the coming years.  With that in mind, these experts have concluded that a standardized replacement for inconsistent, costly cloud assessment techniques is vital to maintaining a secure government IT infrastructure across the country.  That replacement is FedRAMP.  And for the last several years, government agencies are legally required to select FedRAMPed solutions if they wish to migrate core systems to the cloud.

 

How Does it Work?

Every cloud service provider that seeks FedRAMPed status for its products and services is required to undergo a comprehensive, three-step evaluation process, sometimes spanning a year or more. 

1.       Security Assessment.  The FedRAMP security assessment uses a standardized set of requirements in accordance with the Federal Information Security Modernization Act (FISMA) using a baseline set of NIST 800-53 controls to grant security authorizations to cloud service providers.
 

2.       Leveraging and Authorization.  Government agencies view security authorization packages in the FedRAMP repository and leverage the security authorization packages to grant a security authorization at their own agency for an individual cloud service provider.  This step is known as the Authority to Operate (ATO).
 

3.       Ongoing Assessment & Authorization.  Once an authorization is granted, cloud service providers are subject to a series of stringent, ongoing assessments and authorizations in order to retain FedRAMPed status.

 

How Does Leidos Digital Fit In?

As of April 2017, Leidos Digital Solutions is pleased to offer a new way for government agencies to purchase IQ, our industry leading CRM solution.  IQ FedCloud and IQ GovCloud are now available on a secure, stable and scalable FedRAMP certified cloud platform and can be acquired quickly and easily on our GSA Schedule 70, Contract GS-35F-0636K.  To learn more about IQ, browse our website or contact us with any questions you may have. 

Visit our YouTube channel for a preview of how IQ really works!