by Ian MacRae
President and CEO, E-N Computers
25+ years experience solving business IT problems in Virginia and Washington, D.C.
If your business works with federal agencies and handles federal data, your cloud services need to comply with FedRAMP. But recent changes in FedRAMP and new requirements for defense contractors may leave you confused about which cloud services comply.
FedRAMP, the Federal Risk and Authorization Management Program, is a program that authorizes cloud services for use by the federal government and its contractors. It sets a standard approach for assessment, authorization, and continuous monitoring of cloud systems designed to hold federal data.
From the 2011 inception of the FedRAMP program until 2024, there was one path to FedRAMP authorization called Agency Authorization. In this path, a cloud service provider (CSP) works directly with a federal agency to gain Authority to Operate (ATO).
In July 2024, changes were announced that will expand the role of FedRAMP as a security and risk management program. FedRAMP will begin rolling out Program Authorizations, a way for cloud service providers to achieve FedRAMP authorization without a direct relationship with a federal agency. This should help increase the number of cloud services on the FedRAMP Marketplace.
FedRAMP has three levels of authorization based on impact to an agency’s operations, assets, or individuals: Low, Moderate, and High. (To learn more, check out the FedRAMP blog post, Understanding Baselines and Impact Levels in FedRAMP.)
QUICK ANSWER:
What is FedRAMP and why does it matter for federal contractors?
FedRAMP sets standards for cloud services that will hold federal data. Federal agencies and the contractors they work with are expected to protect this data. The program aims to make it easier and more cost-effective to securely store federal data on cloud services by creating a marketplace of authorized cloud services. Many federal contractors will benefit from using a FedRAMP Moderate authorized solution. If you use a FedRAMP Moderate equivalent solution, you are responsible for fully vetting its compliance.
What federal data is included?
FedRAMP is designed for the security of all federal data on cloud services. That includes, but is not limited to, Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). So does FedRAMP apply to your federal contract? Yes.
Defense contractors are required under DFARS 252.204-7012 to make sure the cloud services they use are FedRAMP Moderate authorized or equivalent. Under CMMC, they must prove that the services they use are compliant.
Chart of FedRAMP impact levels, data examples, and related cloud services
| Potential adverse effects of a breach | Data examples | Products we use | |
|---|---|---|---|
| Low | Limited | Login credentials (username, password, email); no PII | |
| Moderate | Serious; e.g. bodily harm, operational damage, financial loss | – Juvenile court records – Critical energy infrastructure – Investment info (e.g., M&A) – Railroad safety | – FutureFeed (seeking equivalency certification) – Cisco Meraki for Government – Microsoft 365 GCC (Office 365 Multi-Tenant) |
| High | Catastrophic, e.g. loss of life or financial ruin | DoD CUI, including: – missile defense – nuclear information – export controlled “no foreign dissemination” marking | Microsoft 365 GCC High |
What is FedRAMP Moderate authorized?
FedRAMP Moderate authorized means that a cloud service has implemented security controls, developed supporting documentation, gone through a third-party assessment, remediated any problems, and has had all of this reviewed by the federal agency they are partnered with and the FedRAMP office. Once a cloud service is FedRAMP Moderate authorized, other federal agencies and their contractors can use it without going through the same process.
Because the process is rigorous, time-consuming, and has required an agency partnership until now, some cloud service providers have opted for equivalency rather than authorization.
What does FedRAMP Moderate equivalent mean?
According to this DoD memorandum dated December 21, 2023 (PDF):
To be considered FedRAMP Moderate equivalent, CSOs [Cloud Service Offerings] must achieve 100% compliance with the latest FedRAMP moderate security control baseline through an assessment conducted by a FedRAMP-recognized Third Party Assessment Organization (3PAO) and present the documentation to the contractor …
Required documentation includes a System Security Plan (SSP), Security Assessment Plan (SAP), Security Assessment Report (SAR) prepared by a FedRAMP-recognized 3PAO, and Plan of Action and Milestones (POA&M). The POA&M must show that any issues have been corrected and validated.
In short, FedRAMP Moderate Equivalent means that a product or service has all the required security controls and has successfully completed an independent audit by a FedRAMP-recognized assessor within the last year. However, they do not have an established partnership with a federal agency, nor do they have a FedRAMP Marketplace Designation.
As a contractor, you should receive the body of evidence from a cloud service provider. That’s a System Security Plan (SSP), Security Assessment Plan (SAP), Security Assessment Report (SAR), and Plan of Action & Milestones (POA&M) for continuous monitoring only. You also need proof that a third-party assessment has happened in the last year. You, the contractor that plans to keep data in this system, are responsible for validating that the cloud service provider is compliant and report on this. For this reason, we advise clients to be very careful about relying on such services.
Does ENC use FedRAMP-compliant tools?
We use FedRAMP-authorized and FedRAMP Moderate Equivalent software when necessary. And we work with you to make sure that any federal data you handle is appropriately protected on any systems it touches — because ultimately you are responsible for the data entrusted to you. Here are some details about a few of the tools we use.
Microsoft 365 GCC and GCC High
Microsoft 365 has several cloud offerings, including the Commercial Cloud, Government Community Cloud (GCC), and GCC High. Their government products are FedRAMP compliant and they provide a GCC High blueprint with guidance on implementing controls.
We are consolidating as much of our tooling into Microsoft 365 as possible. While the tools provided still need to be configured and managed correctly, we find that consolidation gives clients a much better experience. Consolidated tooling simplifies onboarding, offboarding, compliance, and billing. It allows us to manage your environment, including configuration, alerts, and licensing, more efficiently.
ENC is able to directly acquire GCC licenses and we have a partner through whom we can acquire GCC High licenses. These licenses are 50%–75% more expensive than their commercial equivalent. If you require some GCC licenses, we recommend keeping all your licenses at that level for better management and flexibility.
Cisco Meraki
Cisco Meraki provides simplified cloud-based network management and fantastic hardware that we love working with. In February 2024, they achieved FedRAMP authorization.
FutureFeed
FutureFeed is our preferred GRC tool for CMMC. Their stated goal is to work toward FedRAMP Moderate Equivalent certification and they have taken steps to that end. In 2021, they migrated all data and code to AWS GovCloud. In 2024, they partnered with ProjectHosts to help them prepare for certification. They will undergo an official assessment in October 2024, and expect to have an attestation letter from their assessor by February 2025. You can find more details in FutureFeed’s post about it.
What are the benefits of FedRAMP?
FedRAMP benefits federal agencies by creating a cost-efficient path to adopt modern cloud solutions while making sure that federal data is adequately protected. The FedRAMP website highlights these benefits:
- Reduces duplicate effort and cost inefficiencies
- Promotes the development of more secure information technologies.
- Accelerates federal adoption of cloud computing through transparent standards and processes
The idea here is that once a cloud service has its authorization, other agencies and contractors can use it without having to validate compliance on their own. As program authorizations roll out, this should make it easier for contractors to find and use software that meets federal requirements without a great deal of extra work.
Next Steps
When you have the right people working together, you can implement systems and processes that actively help you reach your business goals. We sometimes call this IT maturity. But for many organizations, something is off when it comes to their partnerships, strategy, systems, and settings. How can you know what’s working well and where you have room for improvement? Start by taking our free IT Maturity Self-Assessment. You’ll walk away with some pointers and, if you want, a free appointment to discuss your results.
Not sure if you need managed IT services?
Take the IT Maturity Self-Assessment
In a few minutes, get actionable insights on your IT strategy, plus a free strategic consultation.
