Solutions Blog

What is FedRAMP, and why is it mandatory for federal agencies?

By Richard Arneson

Politically speaking, people want the government to intervene either more or less, but there’s something we can all agree on—FedRAMP is a good thing. FedRAMP is short for Federal Risk and Authorization Management Program, which is another way of saying Keeping federal agencies’ data safe when using cloud services. Now, instead of agencies deploying cloud applications and services willy-nilly (see unsecured), they can safely turn to a cloud services provider (CSP) that has earned FedRAMP accreditation. In addition to ensuring that agencies receive the highest levels of cloud security, it also enables them to save considerable time and money that they’d otherwise spend assessing providers. Here’s another thing we can all agree on―government waste is a bad thing. FedRAMP addresses that.

The FedRAMP certification process

Becoming FedRAMP-certified is not like getting a driver’s license, where a few classes are taken, a simple exam is passed, and a seal of approval stamped and the certification issued. Getting FedRAMP-certified is an extensive process, and it should be. Not to downplay the importance of enterprises’ mission critical information, but when it comes to government data, the safety of about 330,000,000 U.S. Citizens is at stake. Even though FedRAMP was introduced over seven (7) years ago by the U.S. Office of Management and Budget, there are currently only about one hundred (100) providers that are FedRAMP-certified. Each are broken out into one (1) of three (3) service models: IaaS, PaaS and SaaS. A handful are certified in more than one (1) service model, and that list is primarily composed of a few companies with which we’re pretty familiar―Google, Microsoft, AWS (Amazon Web Services) and Salesforce. Providers can get FedRAMP certified in one (1) of two (2) ways, either through a JAB (Joint Authorization Board) provisional authorization (P-ATO) or a select agency, known as Agency Authority to Operate (ATO).

Joint Authorization Board provisional authorization (JAB P-ATO)

The JAB includes representatives from the Department of Defense (DoD), the Department of Homeland Security (DHS) and the General Services Administration (GSA). Their vetting process is so extensive that they authorize only three (3) CSPs per quarter. First, however, the provider must prove that there has been a demonstrated demand for their service by a wide array of agencies. That initial hurdle knocks a huge percentage of applicants out of the running. Extensive security assessments are conducted by the JAB, after which they conduct, with the applicant, a collaborative deep-dive into their cloud offerings, architecture, and capabilities (especially as it relates to security). A thorough Q&A session caps off the application process, after which the JAB makes their decision to grant, or not grant, FedRAMP authorization.

Agency Authority to Operate (ATO)

The FedRAMP authorization process has taken into consideration CSOs that have only a few agencies interested in their services, or if they have designed a cloud for a particular agency. In this case―and because it’s required that agencies only utilize FedRAMP-authorized providers―the provider would apply for certification through the ATO process. Basically, it allows for agencies to gain certification on an as-needed basis. The ATO process requires that the CSP formalize their partnership with a particular government agency. First, however, their service must be fully built and functional. It’s up to the agency to analyze and approve the applicant’s SSP (System Security Plan), after which a Security Assessment Plan (SAP) needs to be developed with a 3PAO (3rd party assessment organization). 3PAOs are organizations selected by the U.S. government to evaluate agencies and test their SAP to ensure it is FedRAMP compliant.

Which certification process to choose?

JAB is good for providers offering services that can be utilized by multiple agencies. ATO best for those providers that have developed what can best be described as a niche offering. FedRAMP doesn’t want to exclude agencies from being able to access a particular service if it perfectly meets their needs. Hence, the ATO process. But regardless of which authorization process providers elect to choose (and it is up to them), the goals are the same―secure and diverse cloud services options for federal agencies.

Even if you’re not a government agency…

Utilizing a cloud service provider that is FedRAMP-certified provides organizations a peace of mind, whether they are a federal agency or not, in knowing that they’ve selected a company that has been carefully, and laboriously, vetted by the U.S. government. And that perfectly describes GDT, which has been FedRAMP-certified for years and secures the government cloud for agencies of all sizes. In addition, they provide cloud services for enterprises and service providers of all sizes, and from a variety of industries. You can contact GDT’s talented solutions architects and engineers at or at They’d love to hear from you.]]>

Share on linkedin
Share on twitter
Share on reddit
Share on facebook
Share on email

Learn more about What is FedRAMP, and why is it mandatory for federal agencies? by filling out the form below:

FlexPod: Flexibility for the Future

There are significant hurdles to overcome to find the data infrastructure that meets the exact needs of your business. For some, their data may be too sensitive to store in a public cloud, but the cost of storing and processing that data locally may be too high. That’s where FlexPod comes in.

Read More »