Federal Cloud

Federal Cloud Compliance Starts with the Right Authorization Path

Federal agencies can only procure cloud services that meet their security authorization requirements. Before you can sell to the government, your cloud environment has to qualify. Fortreum guides cloud service providers through every federal authorization path.

Graphic illustrating FedRAMP authorization flow from Controlled Unclassified Info through a security shield to Secure

FedRAMP Authorization Path

FedRAMP Is the Entry Point to Federal Cloud Revenue

FedRAMP authorization is mandatory for federal cloud sales. Fortreum is a Top 5 3PAO qualified to assess and support your path.

What the FedRAMP path looks like:

  • Readiness assessment establishes your starting control posture and identifies gaps before formal assessment begins
  • Advisory services build your System Security Plan (SSP), control implementation, and continuous monitoring program
  • Third Party Assessment Organization (3PAO) assessment validates your controls against FedRAMP requirements and produces the assessment package your authorizing official requires
  • Authority to Operate (ATO) support guides you through the agency authorization process to achieve your ATO

Impact Level Guide

Your Data Determines Your Authorization Requirement.

The Department of Defense uses impact levels to classify cloud environments based on the sensitivity of the data they process. Your impact level determines which cloud security requirements apply to your environment and which authorization path you must follow.

DoD Cloud Roadmap

Selling Cloud Services to DoD Requires a Separate Authorization Path.

Defense Department cloud procurement follows a distinct authorization path from federal civilian agency procurement. DoD environments must meet impact level requirements and obtain a DoD Provisional Authorization in addition to or in place of standard FedRAMP authorization. Your target impact level, data classification, and deployment model determine which path applies.

The DoD cloud authorization roadmap:

  • Identify your target impact level based on the data your environment will process and store
  • Achieve the corresponding FedRAMP baseline authorization where applicable
  • Pursue DoD Provisional Authorization through the Defense Information Systems Agency review process
  • Maintain continuous monitoring obligations specific to your impact level throughout the authorization lifecycle
Businessman in a gray suit gazes up at towering skyscrapers from a rooftop ledge against a blue sky.

FISMA Overview

FISMA and FedRAMP Are Not the Same Thing.

What FISMA Is.

The Federal Information Security Modernization Act (FISMA) establishes the security requirements for federal information systems, including agency-operated systems and the contractors and cloud providers that support them. If your organization operates a system on behalf of a federal agency, not as a commercial cloud service, but as a direct contractor, FISMA applies to you.

How FISMA Differs from FedRAMP.

FedRAMP applies to commercial cloud service providers selling services to federal agencies. FISMA applies to federal agencies and the contractors running systems on their behalf. A CSP with FedRAMP authorization satisfies the cloud-specific FISMA requirements for the agencies that use their service, but contractors operating agency systems directly must satisfy FISMA requirements independently.