What is FedRAMP

FedRAMP stands for the “Federal Risk and Authorization Management Program.” It standardizes security assessment and authorization for cloud products and services used by U.S. federal agencies. The goal is to make sure federal data is consistently protected at a high level in the cloud.

Becoming a FedRAMP accredited organization is crucial for your success in the public sector

That is, it is a list of verified, secure, and authorized services to allow the US Gov to migrate services to the cloud to be more efficient and secure. (I was one of the millions that had my personal info stolen from the OMB by China because the OMB databases and networks were archaic and insecure).

I consider this one of the smartest things the Gov has done in a long time, actually understanding the the cloud is the place to be and making it easy for agencies to get there. Now a company only needs to get a product accredited once, and any federal agency can use it. That may not seem like much to those of you that have never had to deal with the Gov, but it is a big deal.

There are 238 authorized companies - many companies have multiple products authorized.

Cloudflare is listed as “in progress”, but competitor Akami has 166 authorizations. I did not see Fastly.

Some other names we know: Appian(14 authorizations), Adobe, Amazon(748), Axon, Coupa (in progress), Crowdstrike (42), Datadog(20), Docusign(14, DynaTrace(2), Elastic(1), Google (164), MongoDb (in process), NewRelic(26), Nutanix(2), Okta(108), Palantir(7), SentinalOne (2), ServiceNow (82), SmartSheet (11), Snowflake(3), Splunk(12), Workivia (7), zoom(23), Zscaler (32). (and boring big boys like Cisco, Vmware, IBM, Palo Alto, etc)

If you click on a company, you can see some details, like the agencies using it. Here is the Crowdstrike Falcon platform link…
https://marketplace.fedramp.gov/#!/product/falcon-platform?s…
Among them: DoD, DHS, FAA, Social Security.

There is a link on the site for federal agencies to see how to: “Adopt innovative cloud services to meet your agency’s mission needs”. That is, a “dumb” agency can click there and see how to take advantage of this catalog of cloud products. They have come a long way.

Hope this helps a bit.

Pete

73 Likes

Excellent summary, Pete!

While it is great that the government has done this, it is also important to understand how overly complicated and bureaucratic they’ve made getting these certifications! At a previous company we were pursuing FedRAMP certifications for over 8 years. We went through several sponsors, each time one left it would extend the process further.

Another thing to understand is that not all FedRAMP certifications are equal. DOE reportedly has the most strict certification process, so if you pursue and receive a FedRAMP stamp of approval from DOE, every other government agency can simply choose your product/service without question. But if you pursue the certification from say, HHS (just making this part up), then other agencies may not be able to choose your solution if their security requirements are closer to the DOE side of the scale.

The vast majority of people don’t know what FedRAMP is to begin with, never mind being aware of all the vagaries, bureaucratic complications, time and expense involved in getting one!

As a result, I’m often left wondering what level of FedRAMP our companies are pursuing, and what the expense is compared to the revenue it generates. Is it a net positive? Negative? Neutral?


Paul - who’s been part of entirely too many FedRAMP related audits, all for naught, thanks to then bureaucratic nonsense nature of the process.

14 Likes

A few more details for those who are interested.

FedRAMP comes in several different levels - Low, Medium and High. The difference is that a higher level of certification is required if the software solution is to manage more sensitive data. So DOD systems would require High and other agencies with less critical data might need Medium or Low.

From a provider perspective, the higher level of certification they are going for, the more security controls they have to be able to attest to and verify. The controls number into the hundreds, so undergoing thorough verification and attestation of these take a lot of time and effort. As mentioned above, it can (and usually does) take years (2+, typically). The controls come from NIST (National Institute of Standards and Technology). Often, the process of certification will cause the vendor to fix findings and make changes to their software in order to successfully comply.

The other important point is that the cost of obtaining the certification is borne by the software vendor. Although it is possible for the sponsoring government agency to arrange some kind of compensating financial arrangement as part of a contract, I don’t believe this is typical. So in practice, a software firm considering obtaining the certification has to really consider whether the cost is worth it. Given that the cost can be considerable, this will often depend on whether they think they have many prospective clients among the various federal agencies or not. For some kinds of relatively general purpose software - packages like ServiceNow or Salesforce or Crowdstrike, for example, the potential is really worth it. But for others, which provide a more specific kind of solution, it’s a tougher question. If the nature of the software is such that only a handful of federal agencies might ever show an interest in it, spending a bunch of money, attention and resources on the certification may not necessarily be a winning proposition. Finally, even if it makes sense to pursue certification from a client opportunity perspective, it also matters whether there are already a lot of competing providers in your space with FedRAMP certification. If you are the first among your peers to obtain FedRAMP, that can be an amazing advantage. But if a bunch of your competitors are already there and the federal market is saturated with competing product, then maybe not. All these factors ultimately have to be weighed by the software company.

10 Likes