FedRAMP Security for the Private Sector
The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
While FedRAMP has gained a large and growing following among federal and state government agencies, including the Department of Defense, Health and Human Services, the Treasury Department and many others, FedRAMP is now making significant inroads in the private sector, specifically in commercial enterprises.
“FedRAMP has not only caught the attention of government agencies, but also private sector cloud service buyers.” Information Week, Government Issue
Based on the NIST baseline controls defined in NIST SP 800-53 rev4 for low and moderate systems, FedRAMP brings this security standard into the cloud, enabling organizations to essentially to comply with NIST security standards by way of FedRAMP compliant community/private cloud environment. FedRAMP additional controls address the unique elements of cloud computing to ensure all data is secure in cloud environments.
Security Standards Designed for Clouds
FedRAMP takes all the security requirements agencies had to follow for their conventional IT systems and "extends those controls specifically for cloud computing," says Melvin Greer, a chief strategist at Lockheed Martin. More important, "FedRAMP has codified security," Greer says. "It has detailed what we mean when we say cloud security." It also makes it easier for acquisition staffs to buy cloud services because "they can be assured services from FedRAMP-approved providers will meet all of their requirements."1
Driving the demand for FedRAMP compliant clouds in the private sector is the need to secure critical business data from unauthorized access or theft. This is especially important for organizations that must comply with specific industry mandates such as the Heath Care Industry’s HIPAA requirement to fully product patient data.
Information Security Levels
Similarity, private enterprises are now defining their “information security levels” and specifying the level of security required for each of their cloud-based applications an associated data. In the same fashion that FedRAMP classifies information security levels for confidentiality, integrity and availability into “low impact,” “moderate impact,” and “high-impact,” categories, private enterprises are doing the same. Here’s a brief video of the FedRAMP Director describing information security levels for government agencies.
While the definition of what “high-impact” means for a private enterprise may differ from that of a government agency, the goal is the same – to ensure that the organization’s most critical information is fully secured. Critical information with “high-impact” ratings in the government usually means data, if accessed or stolen, may result in life-threatening situations or financial ruin.
Within enterprises, “high-impact” or “critical data” as it is more commonly referred to includes:
- Information about mid- to long-range strategic plans
- Information that includes IP (intellectual property) and research findings
- Information that could lead to lost sales
- Information that could lead to financial or regulatory penalties
- Information that could result in severe damage to the company’s value or reputation
“Moderate” and “Low” impact data can also be fully secured by FedRAMP and includes elements such as:
- Information related to personnel or customer data
- Information that is deemed confidential in nature
- Information that could marginally disrupt business operations
- Information that is competitively sensitive
The chart below highlights the holistic security elements covered by FedRAMP authorization, as compared to NIST and ISO 27001 security standards.
FedRAMP SaaS-Level Compliant Solutions
Project Hosts offers FedRAMP SaaS-level compliant cloud solutions that support 100% of the security controls required to meet this standard. Our Federal Private Cloud for Windows and Linux Applications (FPC) uses Azure infrastructure and delivers popular Microsoft solutions as well as applications from other commercial software vendors such as AvePoint, BrightWork, Gimmal, Innovative-e, Nintex, UMT360, and Urban Turtle; and open source applications such as Drupal, WordPress and Joomla for agency website content management. For more information on these solutions you can visit our FedRAMP Cloud Solutions page.
- AvePoint - SharePoint Governance compliant and management
- BrightWork - Project & Portfolio Management on SharePoint
- Drupal - Website Content Management System
- Dynamics CRM (MSFT) - Advanced Customer Relationship Management
- Gimmal - SharePoint Information Governance Solutions
- Innovative-e - Project Management on Your Terms (PMOYT)
- Joomla! - Website Content Management System
- Nintex - Workflow Automation Solution for SharePoint
- ProjectServer (MSFT) - Industry Leading Project and Portfolio Management Solution
- Remote (virtual) Desktop (MSFT) - Eliminate Security Risks with Zero Local Data
- SharePoint (MSFT) - Advanced Collaboration and Documentation Management
- Team Foundation Server (MSFT) - Website Content Management System
- UMT360 - Enterprise Portfolio Management Solutions
- Urban Turtle - Advanced SW Development and Collaboration Platform
- WordPress - Website Content Management System
|SECURITY SERVICES||ISO 27001||NIST 800-53||FedRAMP||DoD IL 4|
|Total number of security controls||~ 125||~ 200||~ 325||~ 370|
|Enterprise malware protection||✓||✓||✓||✓|
|Network-based intrusion detection||✓||✓||✓||✓|
|Remote access gateway||✓||✓||✓||✓|
|Backup, recovery, DR with annual tests||✓||✓||✓||✓|
|Incident response with annual tests||✓||✓||✓||✓|
|Security patching and updating||✓||✓||✓||✓|
|Annual ISO 27001 compliance audits||✓||✓||✓||✓|
|Web application proxy in DMZ||✓||✓||✓|
|SIEM for centralized log correlation||✓||✓||✓|
|Multifactor authentication for admins||✓||✓||✓|
|OS & DB vulnerability scanning||✓||✓||✓|
|Web app vulnerability scanning||✓||✓||✓|
|Multifactor authentication for all users||✓||✓|
|Monthly CIS compliance updates||✓||✓|
|Annual penetration testing||✓||✓|
|Annual FedRAMP compliance audits||✓||✓|
|Government-only community cloud||G*||✓|
|Encryption of data at rest||✓|
|Host-based intrusion detection||✓|
|Monthly STIG compliance updates||✓|
|Access Via DoD NIPRNet (not the Internet)||✓|
|Annual DISA compliance audits||✓|
G* - U.S. Government Customer Only
1 - Information Week, Government Issue 2014