The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. It was designed to support the need for federal agencies to rapidly adapt from old, insecure legacy IT to mission-enabling, secure, and cost-effective cloud-based IT systems.
Towards this end, FedRAMP created and manages a core set of processes to ensure effective, repeatable cloud security for the government. FedRAMP established a mature marketplace to increase utilization and familiarity with cloud services while facilitating collaboration across government through open exchanges of lessons learned, use cases, and tactical solutions.
Categorizing Offerings by Impact Levels
Under the FedRAMP program, Cloud Service Offerings (CSOs) are categorized into one of three impact levels: Low, Moderate, and High; and across three security objectives: Confidentiality, Integrity, and Availability.
- Confidentiality: Information access and disclosure includes means for protecting personal privacy and proprietary information.
- Integrity: Stored information is sufficiently guarded against modification or destruction.
- Availability: Ensuring timely and reliable access to information.
FedRAMP currently authorizes CSOs at the: Low, Moderate, and High impact levels.
Low Impact is most appropriate for CSOs where the loss of confidentiality, integrity, and availability would result in limited adverse effects on an agency’s operations, assets, or individuals.
Moderate Impact systems accounts for nearly 80% of CSP applications that receive FedRAMP authorization and is most appropriate for CSOs where the loss of confidentiality, integrity, and availability would result in serious adverse effects on an agency’s operations, assets, or individuals. Serious adverse effects could include significant operational damage to agency assets, financial loss, or individual harm that is not loss of life or physical.
High Impact data is usually in Law Enforcement and Emergency Services systems, Financial systems, Health systems, and any other system where loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. FedRAMP introduced their High Baseline to account for the government’s most sensitive, unclassified data in cloud computing environments, including data that involves the protection of life and financial ruin
There are close to 200 authorized FedRAMP cloud services listed in the Marketplace as of July 2020, with many more going through the authorization process. And while the program was designed to support federal agencies, according to Gartner, there is increasing interest in the FedRAMP program from state and local agencies, tribal and non-US governments, companies in regulated industries and the defense industry, as well as non-profit and educational organizations.
Pros and Cons of FedRAMP
FedRAMP was created as a well-intentioned program to support federal agencies’ cloud software adoption. However, as with most similar efforts, reactions have been mixed. According to a recent Gartner research note1, pros and cons have emerged so security and risk management (SRM) leaders evaluating whether a FedRAMP approach is right for them should consider the following:
- FedRAMP standards have unified baselines and created a common language for cloud security controls
- FedRAMP security controls map to other frameworks such as NIST, HIPAA and PCI-DSS
- FedRAMP security controls help non-federal clouds
- The FedRAMP Project Management Office (PMO) is listening and communicating
- The number of Cloud Service Providers (CSPs) seeking authorization is growing
- Gaining FedRAMP authorization is a long and expensive process for CSPs
- The increased costs are often passed on to FedRAMP clients
- FedRAMP authorized solutions are not cleanly accepted across agencies
- Only cloud vendors with an interest in the federal market are making the investment
- FedRAMP can create a false sense of security in buyers
As a result of these pros and cons, Gartner recommends the following for SRM leaders responsible for cloud security decisions:
- Consider the trade-offs to gauge whether FedRAMP-authorized services make sense for their organizations or not
- Question cloud service providers regarding boundaries, processes, controls, deployments and mappings to other standards to avoid purely relying on FedRAMP marketing hype
- Inform users that a FedRAMP-authorized cloud service does not authorize them to abdicate their cloud security responsibilities.
- FedRAMP Demystified, Katell Thielemann, 21 July 2020
OneStream and FedRAMP Authorization
OneStream Software received the Federal Risk and Authorization Management Program (FedRAMP) Moderate authorization in 2018 and considers it an important qualification for federal agencies seeking cloud solutions that are secure and meet federal standards. In fact, OneStream was the first cloud corporate performance management (CPM) provider to achieve the FedRAMP Moderate authorization.
OneStream went through an expensive and rigorous 18-month process of reviews by the FedRAMP PMO in order to gain FedRAMP Moderate Authorization, and continues to be audited by the PMO to ensure we are continuing to remain in compliance with FedRAMP standards. OneStream has not specifically passed the costs of this process onto our customers via our pricing, we see this as the cost of doing business with federal agencies and others that respect the standard.
To learn more about OneStream’s FedRAMP authorization visit our web site or contact your local OneStream account representative.