Acronym Monday: FedRAMP
Today’s Acronym Monday is brought to you by the acronym FedRAMP.
This acronym is a bit more obscure than many of the other acronyms we’ve covered in this series, and it’s going to take a little bit of unpacking to get to the heart of it.
FedRAMP stands for Federal Risk and Authorization Management Program. It’s a standard approach for government organizations to determine an acceptable level of cybersecurity offered by service providers.
What does that mean, exactly?
Services provided on demand over the internet are called “cloud services.” A quick and easy example of a cloud service is Google Docs, which allows users to store and edit documents online, from anywhere you have an internet connection. Youtube—owned by Google—is another example. Users upload their videos on Youtube and make them accessible through the web any time.
A company that provides cloud services is called a “cloud service provider” (CSP). Continuing our previous example, Google is an example of a CSP. It provides services like Google Docs and Youtube to billions of people around the world, all on demand over the web.
Government organizations often require services of a CSP to host websites and other data securely. For example, millions of companies use Google Docs to collaborate on their work documents, including many government agencies. They also need an email service, where they can send, receive, and store emails securely. A CSP provides all these services.
Before FedRAMP, CSPs could offer wildly varying levels of service with regard to cybersecurity. Not to mention government organizations each had different criteria to assess a CSP’s level of cybersecurity. One CSP might have passed an assessment for one organization, but not for another. And every time a CSP went to work with a new organization, they had to be assessed again. That was an inefficient, time consuming, and expensive process.
The goal of FedRAMP was to make sure all CSPs are assessed the same way to make sure cloud services are provided equally across the board without having to go through a different assessment every time you turn around. With FedRAMP, once a CSP is certified, it’s the only certification to worry about. The CSP can go to all agencies with a proposal, and say, “Yes, we are FedRAMP certified.” The process saves the government hundreds of millions of dollars, and the CSP saves time only being assessed once.
To round of the Google example from above, if you take a look at this list of compliant cloud systems, you can see that Google is on the list as a FedRAMP certified cloud service provider.
Who came up with FedRAMP?
According to the FedRAMP website, experts from the following were all involved in developing the program. The links take you to their page about FedRAMP if they have one:
- General Services Administration (GSA);
- National Institute of Standards and Technology (NIST);
- Department of Homeland Security (DHS);
- Department of Defense (DOD);
- National Security Agency (NSA);
- Office of Management and Budget (OMB);
- the Federal Chief Information Officer (CIO) Council and its working groups; and
- Private industry.
Where can I learn more?
There are several great websites that can tell you more about FedRAMP than you ever wanted to know, including FedRAMP’s official website FedRAMP.gov. The FAQ section has a lot of quick answers to questions you might have. The GSA also has some good information on FedRAMP on their website.
Why should I care?
Even if you’re not a small, medium, or large business looking for cloud services, if you can find a CSP with FedRAMP certification, you’ll enjoy some of the same cybersecurity benefits as many government agencies. You may not have the same budget as the government, but you probably don’t need the same bells and whistles either. FedRAMP certified CSPs know how to secure data, and they’ll find you the solution that’s best for you and the solution you can afford.
Is Wildcard FedRAMP certified?
Wildcard Corp. is in the process of gaining FedRAMP certification. It’s a lengthy process with a lot of paperwork. But our cloud solutions are compliant with all of FedRAMP’s regulations, so we are simply waiting for the certification process to be complete. We expect to have our FedRAMP certification sometime in the Spring of 2017.