Cloud security

The federal government spends hundreds of millions of dollars a year securing the use of IT systems. In 2011, the White House’s Office of Management and Budget (OMB) issued the Cloud First policy to harness the benefits of cloud computing. But with cloud adoption comes the heightened challenge of ensuring a secure and trustworthy environment. Enter the Federal Risk and Authorization Management Program (FedRAMP).

FedRAMP LogoFedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework that saves an estimated 30% to 40% of government costs, as well as time and staff required to conduct redundant agency security assessments. FedRAMP has defined requirements for cloud computing security controls, including vulnerability scanning, and incident monitoring, logging and reporting. Implementing these controls improves customer confidence in the acquisition of solutions from cloud service providers (CSPs).

Some of the major FedRAMP benefits to CSPs include:

FedRAMP compliance allows you to compete for government business, and it gives you a competitive advantage over other CSPs that haven’t been through the process. There’s also an upward trend of commercial and nonprofit organizations preferring FedRAMP-authorized cloud solutions to ensure they mitigate supply chain risks through the implementation of the FedRAMP minimum-security control baselines.
Undergoing the rigor of a FedRAMP assessment may expose vulnerabilities in your system environment that may not be detected by current security controls. Subjecting your cloud service offering(s) to independent assessment leads to greater customer confidence and minimizes the probability of a security breach through the implementation of recommended security controls.
FedRAMP requirements map back to many industry standards, including FISMA, RMF for DoD IT, ISO 27001, PCI, HIPAA/HITECH, COBIT and GLBA. Done correctly, preparing for FedRAMP can help CSPs establish a unified approach to the numerous compliance requirements customers demand. Unified compliance limits the duplication of assurance efforts across regulations and between a CSP and its customers.


Federal government agencies acquiring cloud solutions must utilize CSP solutions that have undergone the rigors of FedRAMP or an equivalent process meeting FISMA requirements. 38North FedRAMP consultants also have significant experience assisting federal, commercial and nonprofit organizations in meeting the requirements of the NIST’s Risk Management Framework through our FISMA and RMF for DoD IT services.

Our FedRAMP consultants provide the following services:

FedRAMP Gap Analysis: This is perfect for CSPs that are new to FedRAMP and don’t know how to get started. Our FedRAMP gap analysis will educate you on the process while taking a look at your cloud service solutions to see how they fare against the FedRAMP minimum security control baselines. We also let you know how much it will cost to undergo independent assessment by an accredited FedRAMP Third Party Assessment Organization (3PAO), attain FedRAMP authorization, identify any risks or challenges, and focus your attention on the most critical items to help prepare you for authorization.

FedRAMP Advisory Support: If you’ve committed to the FedRAMP process but need help developing the required documentation, our advisory support can help. 38North’s experienced FedRAMP consultants can develop the full range of FedRAMP documentation, including the FedRAMP Initiation Request, FIPS 199 categorization, System Security Plan (SSP), Contingency Plan, Incident Response Plan, Configuration Management Plan, Privacy Impact Assessment (PIA), eAuthentication Workbook, User Guide, Rules of Behavior and policies/procedures.

FedRAMP Assessment Support: Preparing for your first FedRAMP assessment but need some assistance? Let our experienced FedRAMP consultants take care of the hassle dealing with the 3PAO. We are well-versed with all the quirks of the FedRAMP process and can expeditiously resolve findings so you can get your authorization in the minimum amount of time possible.

FedRAMP Remediation Support: This services is for those CSPs that recently completed a FedRAMP assessment and need some assistance with the planning, development and implementation of remedial measures. This may come in the form of new technologies, policies, plans, procedures or training and awareness sessions. It may also mean working with what you have in place and tailoring organizational processes to squeeze a little more out of existing investments.


Contact us to find out how our expert consultants can help you achieve and maintain FedRAMP authorization while strengthening your security posture.