5 Tips for Using the FedRAMP Marketplace
The FedRAMP Marketplace is a helpful resource for federal agencies looking for FedRAMP compliant cloud vendors, products, agencies, assessors, and more. Choosing the best vendors to work with can be a time consuming and stressful process, especially when you don’t know where to begin your search. However, the FedRAMP Marketplace can drastically shorten the length of your search.
While the FedRAMP Marketplace is a helpful resource, getting started with the search process can be confusing and a little overwhelming. Here are a few pieces of advice to help you have the best experience in the FedRAMP Marketplace, and find the best cloud service providers for your organization.
1. Outline Your Needs
The best way to start your search for the right solutions, service providers, or third-party assessors is by outlining your business’ specific needs. It’s difficult to search for a solution or partner if you’re not quite sure what your organization needs.
There are three factors you should consider: your data security needs, your budget, and your timeline. Sit down with stakeholders in your organization and discuss these different factors. Once your entire team is on board, you’re ready to start looking for options in the FedRAMP Marketplace.
When you’re thinking about your data security needs, compare your needs to FedRAMP’s security classifications. FedRAMP places all service providers into three different categories: Low Impact, Moderate Impact, and High Impact. Low Impact CSPs have minimal security measures in place. Moderate Impact CSPs have enough security measures in place to meet most security needs, including Covered Unclassified Information (CUI). High Impact CSPs have the greatest level of data security measures in place, making it ideal for companies handling the most sensitive federal government data.
2. Know the difference between Ready, In Process, and Authorized Partners
FedRAMP compliant partners fall into three different categories, depending on the different data security measures these cloud service providers have in place. Knowing more about each of these different categories – FedRAMP Ready, FedRAMP In Process, and FedRAMP Authorized – makes it easier to navigate the FedRAMP Marketplace. You can compare each of these different categories to your own needs, and find the right service provider.
Here’s a little bit more about each of the different FedRAMP categories:
- FedRAMP Ready - While a FedRAMP Ready organization has begun the assessment process, they are only in the beginning stages. At this point, the CSP has completed the Readiness Assessment Report (RAR) which has received approval from the FedRAMP Program Management Office (PMO). They are also likely to receive a Provisional Authorization to Operate (P-ATO) via the Joint Authorization Board (JAB) or an Authorization to Operate (ATO) from another agency they are working with.
- FedRAMP In Process - This is the middle stage between initial authorization steps and receiving authorization. At this point, the cloud service provider is going through the review process, either by a JAB P-ATO or an ATO from an agency.
- FedRAMP Authorized - A CSP that is FedRAMP Authorized is compliant, approved, and ready to work with government agencies. Whether they have received a P-ATO from the JAB or an ATO via an agency, the CSP has proven their ability to meet FedRAMP data security standards.
Ultimately, working with a service provider that has already received FedRAMP Authorization eliminates much of the hassle that comes with sponsoring this process yourself. One that has already received authorization saves you time and gives you confidence in their security standards.
3. Remember, FedRAMP Offers More than CSPs
While the FedRAMP Marketplace might be your first stop for a cloud service provider, you can also find other options to meet your organization’s needs too. The FedRAMP Marketplace provides FedRAMP approved products, agencies, and assessors for organizations to choose from.
Depending on what you need, you can search the FedRAMP Marketplace for the following offerings:
- Products or Solutions
- Service-Based Agencies
- Third-Party Assessment Organizations (3PAOs)
Search through the marketplace to learn more about what it has to offer. You’re likely to find numerous options to meet different needs your organization has.
4. Use Filters
You know what your organization is looking for, especially if you followed the first piece of advice in this article: outline your needs. Based on the needs that you’ve outlined, you can narrow your search in the FedRAMP Marketplace to make the selection process easier. When you filter results based on what you’re looking for, you’re sure to find the best option.
For example, if you were looking for an authorized agency partner with about a dozen or so authorized products at a moderate impact level, you can set filters to identify CSPs that meet that criteria. You can also filter results to find different service models, like infrastructure as a service (IaaS), product as a service (PaaS), or software as a service (SaaS) options. Or maybe you’ve heard of a specific cloud service provider a trusted industry connection has worked with in the past. In that case, you can search for the CSP directly.
5. Download Filtered Data
Once you’ve used filters to narrow down your FedRAMP Marketplace search results, it’s smart to download the filters to a CSV file. By doing so, you have a group of possible options for your company’s needs. Downloading this data makes it easy to search through options both now and in the future if you need to search for service providers again.
Each of these five tips will help make your search through the FedRAMP Marketplace easier. You can use the marketplace to find FedRAMP approved and compliant providers, and you’ll feel comfortable trusting your sensitive data to these partners.
Learn more about government compliance standards. Download our free compliance guide.
About Martin Horan
Founder of FTP Today and an expert in secure file transfer and Internet protocols. A software and IT geek since a young age, Martin has successfully led his companies through the digital age by spotting market niches and filling them with quality IT services.