Why FedRAMP should matter to you

FedRAMP logo -- GSA image

FedRAMP. If you haven’t yet heard of it, consider this your call to action. 

The Federal Risk and Authorization Management Program (FedRAMP) develops tough security standards that form the basis of its certification protocol for cloud services providers (CSPs). Beginning in June 2014, all CSPs that deliver, or plan to deliver, services to the federal government will be required to obtain FedRAMP certification.

That certification process can be lengthy and complicated. It takes six to 12 months to complete an application, which is followed by an independent third-party evaluation. Both phases of the process must be completed successfully in order to obtain certification.

FedRAMP offers a clearinghouse to determine which providers are most suitable for multiagency use, and the process is designed to find solutions that align with many different agency needs. The needs of one agency may not reflect what another agency requires; FedRAMP certification provides a well-vetted selection of CSPs for all federal agencies to choose from.

Demand from CSPs hoping to complete the certification process is high, but rigors of the FedRAMP process ultimately deny certification to all but the best prepared and most flexible providers.The certification process can be daunting – not all providers are afforded the opportunity to complete certification. To date, only nine CSPs have achieved FedRAMP certification; IBM is the most recent provider to join the ranks.

The six steps outlined below offer helpful guidelines to enable providers to navigate through the process.

-- Clearly understand the entire process, including all requirements.  CSPs must ensure all FedRAMP requirements are within the context of their technology environments and their business knowledge. They must have demonstrable understanding of and expertise in their respective industries, and they must prepare well in advance of the deadline. CSPs that begin the certification process without sufficient preparation are sure to face a more-protracted process. For providers that intimately understand what the certification process means for their particular organizations, the process will be much easier to complete.

-- Use the materials available at The website provides various documents, reference materials, templates, and webinars designed to familiarize prospective providers with FedRAMP requirements. In-depth research now can help lay the groundwork for a successful application.

-- Plan to attend at least one monthly document workshop. FedRAMP hosts events each month to educate providers about the certification process and the requisite documents required for a successful application. The workshops also provide a forum to answer questions about the process and troubleshoot difficulties organizations may encounter as they move through it. 

-- Determine eligibility for a federal agency sponsor. For providers with existing agency relationships or with expressed interest to purchase services from a federal agency, sponsorships may be available.  Sponsorships allow providers to go through the certification process through a particular agency rather than applying directly on their own. While a sponsorship can greatly reduce the amount of time providers spend participating in the process, they can also limit the inter-agency applicability of services and ultimately hinder a successful certification. Again, a solid understanding of how a provider’s services fit within broad-based multiple agency requirements will help providers decide whether it’s best to seek a sponsorship or apply independently. 

-- Get to Know the FedRAMP system security plan (SSP). The SSP is a critical component of the FedRAMP certification process. It provides a 400-page template that all CSPs must use to furnish information on their system inventories, boundaries and controls. Completed SSPs must meet 298 control requirements as outlined by the National Institute of Standards and Technology. The importance of the SSP cannot be overstated; incomplete or inaccurate SSPs can stall the application process significantly. In fact, FedRAMP will not assign CSPs to an information security system officer for a formal assessment until the SSP is complete. Companies that invest in the research of and preparation for all FedRAMP requirements will be able to identify gaps and other weak areas in their applications that might require additional support, making the process faster and more efficient.

-- Engage a reputable third-party organization (3PAO) to perform the FedRAMP assessment. CSPs are free to engage any third-party they choose, so it’s best to choose a provider that understands how a particular business works and the benefits it can offer government markets. It also helps to choose a provider early to support and coordinate efforts throughout the process.  3PAOs will perform initial and ongoing independent validation of the security abilities CSPs have in place in addition to the ones they will need to implement in order to achieve certification. The successful verification of the CSP by the 3PAO is the final step in the certification process.

June 2014 is just around the corner. The deadline is looming, and CSPs cannot afford to wait to begin the process. Understanding FedRAMP requirements up front will enable CSPs to move through the process seamlessly and efficiently. 

About the Author

Paul Nguyen is President of Global Cyber Solutions at CSG Invotas (NASDAQ: CSGS), a global provider of interactive transaction-driven solutions and services.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Tue, Jan 12, 2016 Aimee McLaughlin

"Plan to attend at least one monthly document workshop. FedRAMP hosts events each month to educate providers about the certification process and the requisite documents required for a successful application. The workshops also provide a forum to answer questions about the process and troubleshoot difficulties organizations may encounter as they move through it. " - I have never seen any information on the FedRAMP website about monthly workshops. Is this accurate?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group