What makes selling to DoD different than selling to the Civilian sector? What is this FedRAMP+ that people are talking about?
Leverage our cloud security consultants to navigate the waters of DoD so that you can obtain a provisional authorization (PA) to sell to all of DoD. Fortreum team members have supported numerous DoD assessments and will help guide your team to success.
The Department of Defense maintains their own security requirements for cloud service providers. These are defined within the Security Requirements Guide (SRG) and are aligned to various impact levels. Fortreum’s Federal Risk and Authorization Management Program (FedRAMP) DoD Gap Assessment provides the following:
- Overview of the DoD authorization process, Impact Levels (IL) and similarities to FedRAMP
- Identifies implementation gaps for security control implementations
- DoD boundary review and validation
- Roadmap to DoD Provisional Authorization (PA)
Why Choose Fortreum?
We simplify cloud and cybersecurity for our customers
Fortreum has enterprise grade experience with the right blend of technical and analytical experience to support your cybersecurity and cloud needs.
Stay informed with our Industry Compliance Roadmaps, Technical Testing, Interviews and Resources to help you simplify cybersecurity and compliance.
FedRAMP+ is not the same as FedRAMP
FedRAMP+ is the overlay of DoD SRG requirements above FedRAMP’s baseline. FedRAMP is required for anyone selling to a federal agency; FedRAMP+ builds upon FedRAMP and is required for anyone selling to a DoD organization. Thus, knowing who your end customer is up front will help ensure you have the proper requirements incorporated into your cloud service offering.
Provisional Authorization Takes Time
The DoD authorization process is quite lengthy as the reviewers want to ensure the package is comprehensive. DoD states that the estimated duration is 11-17 weeks (excluding the 3PAO assessment), however this will vary widely depending on the scope and complexity of the cloud service offering (excluding system package preparation activities).
DISA Plays a Critical Role
The DISA Cloud Assessment Division serves as reviewers on the JAB, but when it comes to DoD sponsoring organizations, they provide additional support to DoD component sponsors and mission owners. Where applicable, DoD assigns a Joint Validation Team (JVT) to perform the review, which is also the same team that provides recommendations for authorization and briefs the authorizing official.
FedRAMP and reciprocity has been a government and industry problem. To address this, DoD signed a DoD-wide provisional authorization in 2019 to allow DoD organizations to utilize FedRAMP Moderate authorizations for DoD SRG Impact Level 2. It quickly opened the door for the 200+ cloud service offerings to be adopted within the DoD community.
Why is DoD Cloud important?
Similar to FedRAMP, if a cloud service provider wants to sell a cloud service offering to a Federal Agency, the specific offering must obtain a DoD Provisional Authorization (PA). This is above and beyond what is covered in FedRAMP and is defined within the DoD SRG. If there is no DoD PA in place, then the cloud service offering cannot be utilized by any DoD organization.
The requirements are outlined within the SRG and are above and beyond what is outlined in the FedRAMP-defined baseline. These additional requirements are quite extensive and oftentimes require the provider to think through how they will meet these prior to the 3PAO assessment.
Why should my organization care?
The use of cloud services continues to rise at statistically high rates. This continues to hold true for the US Government, including DoD organizations. And while DoD was slow to adopt the cloud in the early days of FedRAMP, DoD has exponentially increased the number of authorizations year over year. On top of that, more and more DoD organizations are sponsoring new authorizations through the process.
This trend will continue as more cloud service offerings are brought into the DoD marketplace. In fact, the more niche of the product, the more likely that a DoD organization will be interested in procuring it if it aligns to their mission. Fortreum recommends cloud service providers understand these points when approaching a potential DoD organization about sponsoring them through the program.