4 Tips for FedRAMP Cloud Provider Research

When it comes to cloud computing solutions for your company, there are thousands of service providers out there. However, you may find yourself needing a vendor authorized to operate cloud services for all or some federal agencies – in other words, a provider who is in alignment with and meets the strict federal standards of the Federal Risk and Authorization Management Program (FedRAMP).

FedRAMP has changed the way the cloud computing industry and government agencies look at security. The program is grounded in its motto, “Do once, use many times,” and aims to provide an efficient way to assess and authorize cloud solutions, with the goal of reducing money, time, and energy that organizations would otherwise spend assessing cloud security.

This program has made it easy to find a partner who meets the FedRAMP criteria, but not every FedRAMP cloud provider is created equally.

The process of finding a FedRAMP authorized provider is time-consuming and demanding. You may be asking, “Where do I start?” and “Who can help me?” Here are four important considerations to get you started.

Understand Your Requirements

Before your organization can migrate to a FedRAMP compliant system, it’s important to first understand what your agency requirements are.

  1. A self-audit will need to be executed in order to understand the technical specifications of your current system. This information will be critical for capacity planning and designing the architecture of your new cloud system.
  2. You will need to know whether the system migration is for an existing application or a new one. If it’s for a new application and your agency does not have an “in-house” development team, you will need a qualified third party agency to do the development.
  3. Understanding your schedule is also critical. By establishing a schedule for implementation and an overall deadline for FedRAMP adoption, you may realistically and strategically plan for subsequent tasks.
  4. Finally, a thorough understanding of your agency requirements will help you determine your system’s security categorization level; classifying your FedRAMP system data security level as Low, Moderate, or High, will ensure the appropriate and corresponding steps can occur.

Review Vendor Options

Once your agency has begun to implement the Federal Government’s Cloud First policy, it is important to understand what has to be accomplished at the provider level versus the application level. As with many aspects of cloud computing, this is an area in which choosing the right solution provider is crucial.

Most cloud service providers only offer IaaS cloud solutions with a FedRAMP certification, whereas Contegix offers both IaaS and PaaS solutions. It is important to understand the difference because this can lead to significant variability in pricing. SecureCloud PaaS meets FedRAMP’s strict requirements and does not require the additional cost to have dedicated systems engineers setup the runtime environment that would otherwise be required with a standard IaaS offering.

Other options you should look for are:

  1. Managed support on the entire hosting environment for any platform
  2. Supported high-performance technologies that meet strict government cloud service requirements (such as OpenStack, OpenShift, and Docker)
  3. Managed integration and advanced security assessments
  4. Affordable and customizable solutions

Discuss Their Migration Process

To migrate your system to a FedRAMP compliant environment, first discuss with your prospective provider how systems are migrated from one server to another. This will require establishing system/storage components and strict coordination between your engineering team and the third party system integrator.

Understand your prospective provider’s processes inside and out to ensure they are fully capable of making a seamless migration to FedRAMP compliant environments. Find out what tools they use like Docker and Openshift. Ask if they engage with any Systems Integrators.

It is also recommended to set up a migration plan, including a schedule and allocated resources. By first discussing the details of the migration with your prospective provider, developing a realistic and accurate schedule will be straightforward.

FedRAMP provides various resources – including templates and technical checklists – that outline the security assessment process.

Make Sure You Get Ongoing Management

Once your system migration is complete, you want a provider that can offer you reliable and scalable services going forward. As part of your system’s FedRAMP approval process, your provider should employ continuous monitoring strategies to ensure you are cloud compliant. There are many other services to look for like vulnerability scans and penetration tests, monitor the system’s status, and maintain the platform architecture.

Having FedRAMP authorization means improved trustworthiness, reliability, consistency, and quality for cloud computing services. Though not all FedRAMP providers can be a good fit. You want to do your research to make sure they can provide you with the type of customer service and ongoing management that allows your agencycan focus on content delivery rather than system administration, cyber-security, and the ever-changing realm of compliance standards.

Contact Contegix today to find out how you can leverage FedRAMP compliant services so you can do once, and use many times.