Becoming FedRAMP and StateRAMP Authorized — Part 1

Author: Baan Alsinawi, CISSP, CCSP, CISM, CGEIT, CASP+ ce, and Managing Director at CISO Global

Cloud-based applications and services are booming in 2023, in both the public and private sector. One of the largest and most sought-after clients for any tech company is the U.S. government. In fact, the federal government is investing billions of dollars annually in transitioning IT resources away from on-premises to secure and cost-effective commercial cloud services such as IaaS (infrastructure as a service), PaaS (platform as a service), and SaaS (software as a service). This presents a significant opportunity for cloud application vendors interested in the government sector, but to land federal contracts, they will first have to obtain FedRAMP authorization for their solutions.

FedRAMP Can Be Intimidating

Just the mention of “FedRAMP” might be making you nervous if you’ve heard about the arduous and time-consuming processes. However, knowing what you’re getting into and having a clear understanding of return on investment (ROI) can help keep you focused on the purpose and outcomes. The way FedRAMP works is that you undertake the process once you have a federal agency that wants to contract with you, and they essentially serve as your sponsor. This helps ensure a definite and reliable ROI for all your efforts.

I Feel Your Pain – Actually

Many third-party FedRAMP-authorized organizations, called 3PAOs, work with clients to help them achieve authorization, but few have actually achieved FedRAMP authorization for their own technologies. I did so for TiGRIS (one of the few FedRAMP-authorized GRC platforms listed on the FedRAMP Marketplace), and my team and I know first-hand what your pain points will be. I can share what I worried about, how long it took, what my challenges were, and how I overcame them. And as I have helped clients achieve FedRAMP compliance as a 3PAO, I know both sides of the process. In this series, I will be describing what these frameworks are, how they differ, what they enable you to do, what to expect, and how to prepare.

First and foremost, any cloud service that handles federal data must be FedRAMP authorized, ensuring compliance with FISMA and NIST data privacy and security standards. Achieving FedRAMP authorization provides vendors with access to government cloud service contracts and establishes them as pre-vetted contractors meeting federal security standards.

How Did We Get These Requirements?

In  2011, the Obama administration sought to modernize government IT environments and improve collaboration, functionality, and affordability of the systems supporting federal agencies. As part of this first effort, the Office of Management and Budget (OMB) released the Cloud First Initiative in 2011. The OMB also launched FedRAMP in 2011. It is worth noting here that the cloud implementation and digital transformation being promoted in the government in 2011 has grown into almost universal adoption, maybe even more than people anticipated 12 years ago. Global cloud spending is anticipated to hit $600 billion USD, and within 2 years, 85% of all companies will finally be cloud-first.

Cloud Solutions Improve Efficiency but Introduce New Risks

Cloud platforms have helped improve efficiency in federal agencies, a notable achievement, but security experts recognized that cloud solutions could also be a serious threat vector for cyber attackers. (No one would disagree with that concern in a post-Solar Winds world.) To protect against this, the federal government has implemented increasingly heftier compliance standards to help mitigate the risks introduced through the growing use of IaaS, PaaS, and SaaS solutions. Cloud Smart—the 2019 Federal Cloud Computing Strategy—was based on Cloud First, and FedRAMP remained a key part of the security strategy. FedRAMPs role has been codified with the passage of the FedRAMP Authorization Act in 2022.

What’s in It for You?

Becoming FedRAMP authorized offers advantages, such as the ability to reuse security packages across federal agencies. You will also be able to list your organization as a provider on the FedRAMP Marketplace. Wondering if that generates business? Yes, it does. Some providers on the list will be massive enterprise providers who already have significant contracts in place. The good news is, you won’t necessarily be competing against them. Some agencies will prefer to work with what they may see as more accessible providers.

More Advantages Than You May Have Realized

Being FedRAMP authorized also serves as a business differentiator in the private sector. Your nongovernment clients will understand that you have undertaken significant efforts to validate your cybersecurity posture if you are FedRAMP approved. Increasingly, private organizations are seeking evidence of your security with validations such as compliance certifications or authorizations, so this can go a long way in sales cycles. CISO Global has helped numerous clients better position themselves to succeed in regulated markets by building a strong, compliant, tested, and validated cybersecurity program.

How Is StateRAMP Different from FedRAMP?

StateRAMP, launched in 2021, follows a similar framework to FedRAMP but applies to state and local governments. Contractors seeking StateRAMP authorization must also undergo assessment by 3PAOs.To meet StateRAMP standards, you also need to adhere to continuous monitoring and annual certifications to demonstrate that you weren’t just compliant at one point in time but that you remain compliant. An annual assessment isn’t enough to ensure you are taking care of business with cybersecurity. It’s an ongoing effort to be and to remain secure.

Competitive Advantages of StateRAMP Authorization

Although StateRAMP authorization is not yet mandatory for vendors selling cloud services to state and local governments, it is increasingly being mandated and preferred by many states. Further, there is a list of StateRAMP-approved providers with whom state agencies can contract that is similar to the FedRAMP Marketplace (TiGRIS is also listed on the StateRAMP authorized product list).

As an expert on compliance trends, I can tell you that once a standard is preferred, as StateRAMP is by many states, it will either be required by all states soon or you will have difficulty competing for business against other vendors in your space without that compliance validation. I can also say that state agencies and many municipal governments are steady and reliable clients if you are willing to put in the time to meet their requirements. One large contract can transform your business if you manage it well.

CISO Global offers expert compliance support, with certified and highly experienced 3PAO auditors, a full suite of government contracting compliance support, and end-to-end services needed to implement security controls in your environment. If you’d like to talk to an expert about your compliance needs, you can reach out to us here. If you would like more information on our approach to security and compliance, our team, or anything else, explore our Strategy and Risk offerings.