FedRAMP was designed in collaboration with security experts across a wide range of governmental and private entities with a goal of designing a standardized approach to security assessment, authorization, and continuous monitoring for Cloud Service Providers (CSP) providing services or products to a governmental entity.
Prior to FedRAMP it was not possible for a Governmental entity to complete the RFP process and be confident that the selected vendor adhered to any security controls, which, either grinds the selection process to a half and / or leaves confidential data exposed by not performing due diligence. FedRAMP has solved this problem by instituting a detailed and standardized framework for CSPs, allowing vendors to be easily measured for their security posture.
This obviously doesn’t come without a cost to the Cloud Service Providers which may have never needed to compile the necessary documentation or been required to implement strict security controls throughout the company. One would think that the defined audit controls and requirements are obvious business or security practices, but, the reality all too often is that companies treat them as “nice to do” items as opposed to being mandated and followed up on.
The FedRAMP security baseline is set for the FISMA low to moderate levels, which are strong, but by no means unachievable even for a small business. The compliance requirements will seem extremely cumbersome to company’s who have never placed data security processes as a priority, but, with assistance from a qualified professional and internal dedication of resources, a whole new line of business could be made available through the many outsourcing projects underway by the Government.