The adoption and use of secure cloud solutions are the way of the future for the public sector, and the Federal Risk and Authorization Management Program (FedRAMP) plays a key role. FedRAMP was established in 2011 to encourage and support the adoption of secure modern technology for government agencies. It empowers agencies to use modern cloud technologies, with an emphasis on the security and protection of federal information, and helps accelerate the adoption of secure, cloud solutions (FedRAMP | GSA).
Data security is a critical concern for all organizations and FedRAMP helps agencies by providing a review and continuous monitoring program of cloud service providers to ensure they meet rigorous standards. According to fedramp.gov, “Before FedRAMP, cloud service providers had to meet different security requirements for each federal agency. FedRAMP eliminates duplication by providing a common security framework, making it possible for agencies and cloud service providers to reuse authorizations. A cloud service offering is authorized once and then the security package can be used by any federal agency.”
The cyber world is ever-evolving, and FedRAMP-authorized cloud service providers must maintain system compliance and stay current on new standards and guidelines. FedRAMP leverages the standards and policies created by the National Institute of Standards and Technology (NIST) and oversees a conformity assessment program. Every cloud service provider must go through the process, ensuring security and consistency. FedRAMP also establishes requirements for continuous monitoring.
How does a cloud services provider become FedRAMP authorized?
FedRAMP is mandatory for all U.S. federal executive agency cloud deployments. Four key players must work together to ensure all FedRAMP policies, procedures, and guidelines are met. They include:
- FedRAMP project management office to oversee the entire process
- The cloud service provider, such as Wolters Kluwer TeamMate, that is seeking to provide a cloud service offering to U.S. federal agencies
- Third-party assessment organization to conduct independent assessments of federal cybersecurity requirements
- Sponsoring agency that works with the cloud service provider to achieve FedRAMP authorization. TeamMate has selected the National Institutes of Health (NIH) as its sponsoring agency to ensure they meet all FedRAMP standards
Drivers for a cloud deployment
Monica Diggs is a Program Analyst at the National Institutes of Health and a long-time TeamMate audit management software user. The disruption during the pandemic emphasized her organization’s need for a cloud-based version of the audit software. While Monica’s team worked remotely, she had limited access to their machines.
TeamMate+ is FedRAMP authorized at the product level and for cloud hosting. Other than the initial deployment, updates happen regularly and automatically. This means NIH no longer needs to manage and coordinate IT resources for solution enhancements, ultimately reducing the burden of administrative overhead.
“We were already using TeamMate, and I wasn’t looking to change the software. But as I planned for the future, I knew we needed to be in the cloud,” said Monica. “TeamMate’s plan to achieve FedRAMP Authorization fit with our needs. In addition to the security confidence that FedRAMP Authorization affords, the use of cloud technology reduces administrative overhead and frees me up to spend time on program-specific tasks.”
Leveraging cloud-based tools means that government audit teams can focus on their mission rather than constantly managing software upgrades, version compliance, etc.