Ask Dux: What is FedRAMP Certification and Why Does It Matter?

Post Date: 04/06/2022
feature image

Today, we’re going to be talking all about FedRAMP.

It’s not the first time we’ve talked about FedRAMP, but there are some fresh things to share. A ton of people are using cloud services now more than ever before, so the Federal Risk and Authorization Management Program has definitely become a big deal.

Looking for a good FedRAMP primer? Let’s go and Ask Dux!

In this episode:

What is FedRAMP?

Some people may think FedRAMP is a new thing, but it’s actually 11 years old. FedRAMP is essentially a United States federal government-wide program that provides a standardized approach to security assessment authorization and continuous monitoring for cloud products and services.

Long story short—it’s a standard and more stringent way of what the US federal government requires of federal agencies to go through and use for cloud services they have. Basically, it’s information confidentiality, your integrity against data being compromised or modified, and having things available where and when you need them.

FedRAMP Authorized

A lot of folks listening to this episode are familiar with Microsoft 365 or AWS from Amazon. We at AvePoint use Microsoft 365, and the service we use from Microsoft is provided through what’s called Microsoft commercial cloud offering. Meaning, any company can use it. You can sign up and get Microsoft 365.

But if I were the Department of Treasury and I want to use Microsoft 365, I can’t just sign up for the commercial cloud offering that Microsoft has. For Department Treasury or the United States Treasury, I have to sign up for Microsoft 365 that sits in a special data center that FedRAMP authorized.

So, companies like Microsoft or Amazon, even Google and other cloud providers—frankly, us as well—if we want to provide our solutions to federal government agencies, our solutions have to go through this process and have to be FedRAMP authorized.

The Process: From “FedRAMP Ready” to “FedRAMP Authorized”

If you’re FedRAMP ready, it does not automatically mean you are authorized to offer your services to federal agencies who may want to use it. When you visit the FedRAMP website, you’ll see status of companies under ‘Ready’, ‘In Process’, and ‘Authorized’.

Becoming FedRAMP-ready is only the first step, which means that your cloud product or service must fit FedRAMP’s bill of objectives. The next step through the process is having a federal government agency to sponsor you, or as they would say, give you that ATO or Authorization to Operate.

The idea is, this agency that will sponsor you will make a case to say, “Hey, we need AvePoint’s solution, their cloud service, to meet certain objectives we have in our organization.” And then you go through the process.

The process is very stringent and rigorous from a technical perspective, legal perspective, and security perspective. For us, that whole journey all in all took around five years to get to the point where we’re now FedRAMP authorized.

But even though you’re authorized, you’re authorized at different levels because different agencies have different requirements for the level of authorization. For example, defense agencies may have a higher requirement because of the nature of what they do. At the same time, if you want to introduce new products and new offerings, you have to get those authorized as well.

The Key Value for Federal Government Agencies

The majority—about 80%–of authorizations are “moderate”, which is what our solutions are. Six more solutions have been recently authorized. So, what’s the key value of that?

If you’re a federal government agency who’s embraced the cloud and leveraging technology like Microsoft 365, and you need advanced capabilities such as the capabilities we offer around managing data and managing Microsoft 365, then your first hurdle—which is looking for FedRAMP authorized solutions—is already checked because AvePoint is FedRAMP authorized.

That makes it much easier for you to have options. If all you have is a Microsoft 365 platform and you want advanced capabilities, unless you code it yourself or build these solutions yourself, the options are just not there.

We work closely with a lot of our customers, and we want to make sure that as they continue the partnership with us through their cloud journey, we want to be there for them as well by offering our services like backup, migration, license management, and assessing risks in their environment.

How Is This Relevant to the Citizens?

I’m actually glad that there’s an initiative like this because—especially being a taxpayer—I know that my contribution to the economy is being protected.

Now, a lot of the data that’s being used across different agencies are relying on cloud technologies, and it makes me feel a little better to know that government agencies are thinking about high-level security and compliance. Ergo, having this type of capability that’s required across federal agencies, I think it’s good for every citizen of the United States.

What’s Next for AvePoint’s Solutions?

For us, we’ll continue to work closely with a lot of our US federal agency customers. As the need arise for more of our products to be FedRAMP authorized, we’ll continue to go through the process. And certainly, we’ll expand further, especially with the needs of other agencies that we work with such as defense agencies that may require a higher level of FedRAMP authorization.

We’ll continue our work. In the end, we want to meet where our customers are, and we want to serve them as best as we can to help them fulfill their mission.

Episode resources

FedRAMP website: How to Become FedRAMP Authorized | FedRAMP.gov

FedRAMP Authorized AvePoint Solutions: AvePoint’s FedRAMP Authorization Expands to 6 More Solutions

Get involved!

Don’t forget to send us your questions on Twitter with a hashtag #AskDux or send us an email at askdux@avepoint.com.

Apple PodcastsSpotifyGoogle PodcastsStitcheriHeartRadioTuneInPodchaserOvercastCastroPocketCasts

Subscribe where you get your podcasts! Search for “#ShiftHappens” in your favorite podcast app.

With over 20 years of business and technology experience, Dux has driven organizational transformations worldwide with his ability to simplify complex ideas and deliver relevant solutions. He serves as the Chief Brand Officer of AvePoint who has authored the LinkedIn Learning course How to Build Your Personal Brand, the book SharePoint for Project Management, as well as numerous whitepapers and articles. As a public speaker, Dux has delivered engaging, interactive presentations to more than 25,000 people at leading industry events around the world. He also hosts the modern workplace podcast #shifthappens that focuses on how leading organizations navigated their business transformation journey. Dux advocates tirelessly for inclusion, using technology for good, and philanthropic initiatives. Connect with him: http://dux.sy

View all posts by Dux Raymond Sy
Share this blog

Subscribe to our blog