By Stephanie Bartlett   February 11, 2025

What is FedRAMP and What Does it Mean When Evaluating CPM Solutions?

Federal employee considering FedRAMP

For federal agencies, security and risk management are top priorities. The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide program. FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The program was designed to support federal agencies’ need to rapidly adapt from old, insecure legacy IT to mission-enabling, secure, and cost-effective cloud-based IT systems.

FedRAMP created and manages a core set of processes to ensure effective, repeatable cloud security for the government. The program also established a mature marketplace to increase utilization and familiarity with cloud services while facilitating collaboration across government through open exchanges of lessons learned, use cases, and tactical solutions.

Categorizing Offerings by FedRAMP Impact Levels

Over 360 authorized FedRAMP cloud services are listed in the FedRAMP Marketplace as of February 2025, with many more going through the authorization process. Under FedRAMP, cloud service offerings (CSOs) are categorized into one of three impact levels (Low, Moderate, High) across three security objectives (Confidentiality, Integrity, Availability):

  • Confidentiality: Information access and disclosure includes means for protecting personal privacy and proprietary information.
  • Integrity: Stored information is sufficiently guarded against modification or destruction.
  • Availability: Timely and reliable access to information is ensured.

FedRAMP Impact Levels

Low Impact is most appropriate for CSOs where loss of confidentiality, integrity, and availability would have limited adverse effects on an agency's operations, assets, or individuals.

Moderate Impact systems account for nearly 80% of cloud service provider (CSP) applications that receive FedRAMP authorization. This impact level is most appropriate for CSOs where the loss of confidentiality, integrity, and availability would result in serious adverse effects on an agency's operations, assets, or individuals. More specifically, serious adverse effects could include significant operational damage to agency assets, financial loss, or individual harm that is not loss of life or physical.

High Impact data is commonly used in law enforcement and emergency services, financial, and health systems, and any other system where loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. FedRAMP introduced their High Baseline to account for the government's most sensitive, unclassified data in cloud computing environments, including data that involves the protection of life and financial ruin.

The original program was designed to support federal agencies, according to Gartner. However, various other entities have an increasing interest in the FedRAMP program:

  1. State and local agencies
  2. Tribal and non-US governments
  3. Companies in regulated industries
  4. Defense industry
  5. Non-profit and educational organizations

Why Does FedRAMP Matter?

As part of the FY23 National Defense Authorization Act (NDAA), the FedRAMP Authorization Act was signed in December 2022. The act classifies FedRAMP as the authoritative standardized approach to security assessment and authorization for cloud computing products and services that process unclassified federal information.

Importantly, this classification facilitates faster adoption of modern technology by federal agencies, with trust that solutions have been thoroughly reviewed and meet government security standards.

OneStream and FedRAMP Authorization

OneStream Software has completed the rigorous authorization process and recently achieved FedRAMP High authorization status. This authorization certifies that OneStream’s cloud-based platform meets the federal government’s strictest safety standards. Further, OneStream is authorized for use by federal entities that require the highest level of security for sensitive, mission-critical data.

With this authorization, OneStream is the only complete end-to-end FedRAMP High certified and DoD Impact level 4 (IL-4) authorized cloud corporate performance management (CPM) provider for federal agencies.

OneStream offers a robust platform solution for financial consolidation, reporting, planning, analysis, and data quality at a heightened security level. As a result, OneStream enables agencies to accelerate and simplify planning processes across the Budget and Finance Offices. By modernizing back-office operations, federal agencies can better navigate increasing resource costs, optimize funding allocations, and advance mission outcomes.

At OneStream, we believe security and compliance are critical, so we are committed to providing a secure and reliable platform for our customers. We’re excited to continue that commitment to federal agencies, with FedRAMP High marking the latest update to OneStream’s compliance portfolio.

Conclusion

FedRAMP plays a crucial role in supporting the needs of federal agencies and maintains high standards to ensure security, compliance, and mission readiness for cloud environments. When evaluating software, federal government agencies should understand FedRAMP's Impact Levels and how they can support agency missions. With OneStream security and compliance remain core to the platform, and this latest milestone is a testament to our dedication to serving the evolving needs of the public sector.

Learn More

Learn more about how OneStream's platform uniquely empowers government agencies to plan with confidence and best serve their missions at https://www.onestream.com/solutions/government/.