What Is FedRAMP?

June 10, 2021

We were thrilled to participate in this year’s SIA GovSummit. SIA GovSummit is the nation's premier government security conference, bringing together public sector security leaders with private industry technologists for knowledge sharing and education on key security trends and topics that affect federal, state, and local agencies.

What Is FedRAMP?

A key point of discussion at this year’s edition was the Federal Risk and Authorization Management Program (FedRAMP). FedRAMP is an initiative that aims to ensure government agency data is consistently highly secured in the cloud. Identiv’s Senior Sales Engineer, David Helbock, moderated our roundtable during SIA GovSummit that discussed the options physical security specialists have in moving on-premises servers and clients to a FedRAMP-approved cloud model, among other things.

After the expert panel discussion, we sat down with David to dive into some of the fundamentals of FedRAMP.

When was FedRAMP introduced, and for what purpose?

David: FedRAMP was originally established back in 2011 when cloud technologies really began to come to the fore as a way of enhancing the security of cloud services used by the U.S. government. The program was launched as a result of the government’s “Cloud First” strategy, stemming from a “25 Point Implementation Plan to Reform Federal Information Technology Management” unveiled in December 2010. Today, FedRAMP empowers federal agencies to use modern cloud technologies with an emphasis on security and protection of federal information. Where cloud service providers would previously prepare inconsistent and individual offerings for the agencies they wanted to work with, FedRAMP ensures that requirements are both enhanced and standardized. In this way, security is maximized, and those certified cloud providers are now licensed to work with multiple agencies, streamlining the process.

Why is FedRAMP certification becoming so important?

David: Initially, FedRAMP adoption was limited with just 20 services from cloud providers authorized between 2011 and 2016. As of June 2021, however, there are now 225 authorized FedRAMP products, with the number of providers seeking certification spiking dramatically in the past half decade. Why? According to spending analysis from Bloomberg, U.S. federal agencies spent $6.6 billion on cloud computing services in 2020, and $6.1 billion in the year before that. It is big business. From the government’s perspective, FedRAMP is vitally important because it standardizes agency security while keeping the bar high. In taking this approach, federal organizations save considerable expense and time while remaining safe in knowing the cloud services and products they use protect federal data properly. Securing FedRAMP certification is no easy task. It is one of the most demanding and stringent software-as-a-service (SaaS) certifications in the world, with 19 standards and guidance documents and 14 laws and regulations applicable to FedRAMP. Further, once certified, regular audits are conducted to ensure that compliance is maintained.

Is FedRAMP a realistic requirement for physical access control systems (PACS) that are hosted and managed by a commercial vendor?

David: Just like other forms of software and systems, there are many security risks facing PACS managed in the cloud. A threat actor may wish to bring critical access control systems down, for example, while edge devices managing electronic access control points also collect access control data and personally identifiable information. While FedRAMP to date primarily concerns the digital environment, with examples of approved products being Amazon Web Services, Adobe Analytics, and Slack, PACS managed in the cloud are equally cloud services and therefore will need to meet the same criteria. To reiterate, FedRAMP is a government-wide program that promotes the uptake of secure cloud services across the federal government by providing a standardized approach to security and risk assessment for cloud technologies and federal agencies. This includes cloud-based security systems.