The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. It was designed to support the need for federal agencies to rapidly adapt from old, insecure legacy IT to mission-enabling, secure, and cost-effective cloud-based IT systems.
Towards this end, FedRAMP created and manages a core set of processes to ensure effective, repeatable cloud security for the government. FedRAMP established a mature marketplace to increase utilization and familiarity with cloud services while facilitating collaboration across government through open exchanges of lessons learned, use cases, and tactical solutions.
Categorizing Offerings by Impact Levels
Under the FedRAMP program, Cloud Service Offerings (CSOs) are categorized into one of three impact levels: Low, Moderate, and High; and across three security objectives: Confidentiality, Integrity, and Availability.
FedRAMP currently authorizes CSOs at the: Low, Moderate, and High impact levels.
Low Impact is most appropriate for CSOs where the loss of confidentiality, integrity, and availability would result in limited adverse effects on an agency’s operations, assets, or individuals.
Moderate Impact systems accounts for nearly 80% of CSP applications that receive FedRAMP authorization and is most appropriate for CSOs where the loss of confidentiality, integrity, and availability would result in serious adverse effects on an agency’s operations, assets, or individuals. Serious adverse effects could include significant operational damage to agency assets, financial loss, or individual harm that is not loss of life or physical.
High Impact data is usually in Law Enforcement and Emergency Services systems, Financial systems, Health systems, and any other system where loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. FedRAMP introduced their High Baseline to account for the government’s most sensitive, unclassified data in cloud computing environments, including data that involves the protection of life and financial ruin
There are close to 200 authorized FedRAMP cloud services listed in the Marketplace as of July 2020, with many more going through the authorization process. And while the program was designed to support federal agencies, according to Gartner, there is increasing interest in the FedRAMP program from state and local agencies, tribal and non-US governments, companies in regulated industries and the defense industry, as well as non-profit and educational organizations.
Pros and Cons of FedRAMP
FedRAMP was created as a well-intentioned program to support federal agencies’ cloud software adoption. However, as with most similar efforts, reactions have been mixed. According to a recent Gartner research note1, pros and cons have emerged so security and risk management (SRM) leaders evaluating whether a FedRAMP approach is right for them should consider the following:
As a result of these pros and cons, Gartner recommends the following for SRM leaders responsible for cloud security decisions:
OneStream and FedRAMP Authorization
OneStream Software received the Federal Risk and Authorization Management Program (FedRAMP) Moderate authorization in 2018 and considers it an important qualification for federal agencies seeking cloud solutions that are secure and meet federal standards. In fact, OneStream was the first cloud corporate performance management (CPM) provider to achieve the FedRAMP Moderate authorization.
OneStream went through an expensive and rigorous 18-month process of reviews by the FedRAMP PMO in order to gain FedRAMP Moderate Authorization, and continues to be audited by the PMO to ensure we are continuing to remain in compliance with FedRAMP standards. OneStream has not specifically passed the costs of this process onto our customers via our pricing, we see this as the cost of doing business with federal agencies and others that respect the standard.
To learn more about OneStream’s FedRAMP authorization visit our web site or contact your local OneStream account representative.