3min. read

An Overview of FedRAMP and Why You Should Care About It


In 2017, the White House signed an executive order to strengthen the cybersecurity of federal networks and critical infrastructure. With this directive, combined with the Modernizing Government Technology Act, U.S federal agencies are focusing on modernizing their IT infrastructure while making security a top priority. A key component of this modernization is accelerating the adoption of secure, cloud-based services. The Federal Risk and Authorization Management Program, or FedRAMP, was conceived as a way to minimize cybersecurity risk for federal agencies as they move to the cloud.

FedRAMP prescribes a standardized approach to security assessment, authorization and continuous monitoring for U.S. government agencies' use of cloud-based products and services. Federal agencies depend on this program to protect the confidentiality and integrity of their data when adopting private-sector security-, infrastructure- or platform-as-a-service technologies, abbreviated SaaS, IaaS and PaaS, respectively. Vendors of cloud services – what the program calls cloud service providers, or CSPs – follow prescribed paths to certification. Third-party assessment organizations conduct thorough assessments while the FedRAMP Program Management Office offers oversight and advice in addition to reviewing submissions and making authorization decisions.

Advantages of FedRAMP for Federal Agencies

The program offers a standardized, “do once, use many times” framework to save federal agencies time, effort and money when assessing security. At the same time, agencies retain control of the level of cybersecurity risk they are willing to accept for a particular cloud service. Agencies can evaluate authorized cloud vendors’ submission packages and decide for themselves whether the risk posture is acceptable for their needs or if they want to make changes.

Other Parties That May Be Interested in FedRAMP

A FedRAMP-authorized cloud service has applicability beyond federal agencies, including state and local governments as well as corporations that do business with federal agencies, which have similar requirements around data security and cybersecurity. They often have similar objectives, as well: to simplify operations, reduce operational overhead and improve agility by moving services to the cloud. A cloud service that receives FedRAMP authorization has met rigorous criteria for security standards, and broader public sector and public-sector affiliated corporations can confidently take advantage of such a service, knowing it is a secure alternative to using their own resources to manage and deploy infrastructure.  

More Information

You can find FAQs and detailed guidance for agencies, cloud service providers and third-party assessment organizations on the FedRAMP website. For more information on Palo Alto Networks® and FedRAMP, read our announcement or visit the Palo Alto Networks Government page.