Working with a FedRAMP Authorized Provider? Make Sure You Ask These Questions

The cloud can help governments increase their agility, but it also comes with distinct security risk agencies need to prepare for as they integrate more of these solutions into their IT environments.

Working with a FedRAMP authorized provider can reduce some of the business risks your agency faces when migrating to the cloud. Still, this approach isn’t foolproof. Your organization will have to do its due diligence and ask the right questions as you decide whether to collaborate with a strategic technology partner who has FedRAMP authorization. Here are three questions to ask as you get started.

Do You Have Provisional or Agency Authorization?

First, it’s important to understand that FedRAMP authorization applies to cloud products and services and not to a cloud provider as a whole. Therefore, a provider may have certain solutions that are FedRAMP authorized and others that aren’t.

A cloud solution can become FedRAMP authorized in two ways. It either can receive authorization through an agency or receive a provisional authorization through the Joint Authorization Board (JAB), the governing body that grants FedRAMP authorizations.

With each authorization, a cloud provider will have to undergo a security assessment to get their product authorized. However, cloud providers that pursue agency authorization work directly with a specific agency from the beginning to end of the FedRAMP certification process.

One of the benefits of FedRAMP authorization is that a cloud provider will have met some of the most comprehensive security requirements to work with the federal government, since this designation is more all-encompassing. The JAB only chooses 12 cloud products — not providers — each year to receive provisional authorization and it is also tasked with performing continuous monitoring for any products with provisional authorization (an agency assumes this responsibility with an agency-authorized cloud product).

If you’re a federal agency looking to work with a FedRAMP authorized vendor, collaborating with a provider that has provisional authorization can accelerate the process because the JAB focuses on approving cloud products that can be leveraged across most, if not all, government agencies. However, every provider has a different authorization strategy. Some companies deliberately choose not to pursue provisional authorization right away because of the significant time and effort involved or because their product may be tailored to a very specific use case or agency. If a potential provider doesn’t have provisional authorization, your organization will need to pursue the agency authorization process with them before you can onboard their solution. There’s nothing wrong with this, especially if the cloud provider’s solution is the perfect fit for your organization. Achieving agency authorization also involves considerably less time than a provisional authorization, taking four to six months to complete compared to upwards of nine months for provisional authorization. Factor in this time frame as your agency develops its transformation roadmap.

What Large-Scale Implementations Have You Managed for Other Government Organizations?

FedRAMP is primarily focused on security. While this is critical, it’s important to understand a cloud provider’s domain expertise and the type of implementations they’ve been involved in with prior government agencies. This is particularly crucial if you’re a state or large local agency. Why? Because many software vendors now tout FedRAMP authorization as a way to attract new business within all levels of government. Though StateRamp is slowly emerging as an approach state and local governments can use to identify secure cloud solutions, FedRAMP authorization also provides a certain level of confidence in the security posture of a potential cloud solution your state and local government may be considering

If a vendor says they are FedRAMP authorized, be sure to check the FedRAMP Marketplace to get more details on the type of authorization and the federal agencies that use their cloud offering (s). From there, ask the cloud provider about the types of implementation they’ve handled for these agencies. Due to confidentiality agreements, your provider may only be able to provide general details, such as whether the implementation was agency-wide or for one particular department, how long the implementation took and whether the implementation involved a transition from on-prem to the cloud.

Also ask the provider if they have experience in the key use cases or specific digital transformation initiatives your organization plans to execute, whether it’s a self-service virtual chatbot, IT portfolio management or AI automation to detect fraud in financial reporting or social service programs. Once you have this information, you can make a more informed decision about whether to make this technology investment.

What Security Protocols Do You Have in Place?

Even though vendors go through a full security assessment to get FedRAMP-certified, it’s still important that you understand a potential vendor’s security practices.

You can review each vendor’s FedRAMP security package by completing a package request form on the FedRamp website. You must have a .gov or .mil email extension to make this request. By accessing this information, you can gain deeper insight into the security measures a cloud provider has in place for its solution — beyond just the assurance provided by its FedRAMP designation.

You also should understand the different impact levels within FedRAMP. FedRAMP categorizes cloud products and services across three impact levels based on the potential impact of a security breach: low impact, moderate impact or high impact. Cloud providers must identify the potential impact level for their solution when they seek authorization (FedRAMP encourages provisional authorization for solutions where the risk is deemed high impact).

Additionally, your CISO or security lead should ask to view a potential provider’s latest security audit. Providers must submit security audits regularly to stay FedRAMP-compliant, so an audit also can contain valuable information to inform your organization’s decision-making process and help you assess whether you’re completely comfortable with the security protocols they have in place.

Speeding Time to Value with a FedRAMP-Authorized Vendor

Despite a vast cloud marketplace with thousands, if not millions, of solutions, only 236 cloud products are currently FedRAMP authorized.

When you choose a FedRAMP authorized cloud solution, whether it has received provisional or agency authorization, you can have peace of mind that the product has undergone a rigorous security assessment and has been deemed secure enough to handle highly-sensitive government data. Still, that doesn’t mean your organization can’t ask questions and add another layer of due diligence. As you assess cloud providers, seek more details about their FedRAMP authorization, ask about their domain expertise and request documentation to get up-to-date information about their security practices.  Taking all these steps can ensure you make the right investment for your organization


The future doesn't wait. Why should you?

Let’s talk about your technologies and infrastructure, so we can keep your mission moving forward.

Speak with a government IT integrations expert