Select Page

Why FedRAMP is Important?

Three decades ago, the U.S. Government began to recognize the enormous gains of adopting the cloud for government IT infrastructure for its elasticity, data and cost-efficiency. While the cloud first policy set the stage for extensive adoption in the government sector, integration of the cloud services and products has been challenging. Compliance and security assessments have proven complex and time consuming for CIOs, with federal organizations spending millions of dollars each year for securing their IT systems.
To solve this issue and reap cloud benefits, the U.S. government developed a set of security standards to make sure cloud services and products could protect federal data appropriately. By offering a standardized approach to “Authorization, Security Assessment and continuous monitoring for cloud services and products” – the Federal Risk and Authorization Management Program or FedRAMP helps federal organizations save considerable expense and time.

How FedRAMP was developed?

Certification and Accreditation (C&A) was originally issued by the DIACAP (Department of Defense Information Assurance Certification and Accreditation Process) which applied risk management frameworks (RMFs) to information systems. National Institute of Standards & Technology (NIST) RMF further standardized the process. But, security claims needed to be backed up with actual evidence in the form of third party certifications.

This evidence usually involved FIPS 140-2 for conventional standalone on-prem products encryption. Common criteria certification was used to handle general security claims. These two certifications did one very important thing:

They provided a validation criteria that security and data encryption claims could be measured against at any point in time. Organizations could also do a standalone FISMA (Federal Information Security Management Act) valuation for on-premise solutions, however, this was neither scalable to other federal organizations nor recognized, therefore multiplying the workload and burden to go through multiple authorizations.

How do you scale security authorizations for the cloud?

The Federal Risk & Authorization Management Program (FedRAMP) is a government wide program that provides a standardized-approach to continuous monitoring, authorization and security assessment for cloud services and products. This allows Cloud Security Solutions to be assessed and that assessment can be used across multiple organizations. FedRAMP is based on the NIST SP800-53; the gold standard for security control frameworks. More importantly, FedRAMP provides a consistent and clear way for cloud service providers like StoneFly, as well as customers to measure security on on-going basis. It provides cloud service providers a measurable way to implement security the right way.

Applying the FedRAMP model to their evaluation of cloud services and products, government organizations can achieve several benefits, including:

  • Uniform authorization and assessment of cloud information security and controls
  • Significant cost and time savings when compared to conducting independent assessments, which can often be redundant
  • Faster adoption of cloud-solutions
  • Improved trust in the validity of assessments and alleviated cloud security concerns
  • Increased Visibility into all aspects of cloud security controls


FedRAMP evaluates cloud service providers through a comprehensive two-step process. The model is based-on a uniform set of standards, by which, it is decided if a cloud service or product has adequate information security and controls.

  • Audits and authorization: Outside federal organizations approved by FedRAMP audit the cloud system to make sure that the cloud provider can endure a series of security threats
  • Ongoing Audits and Authorization: In order to maintain an adequate status, the authorized cloud system shall continue to undergo audits and assessments

StoneFly Storage in Azure and Azure Government earned a P-ATO from the Joint Authorization Board

The Joint Authorization Board or JAB is the primary decision-making and governance body for FedRAMP. CIOs from the Department of Homeland Security, Department of Defense and the General Services Administration serve on the JAB. The board grants Provisional Authority to Operate (P-ATO) to Cloud Service Providers that have demonstrated FedRAMP compliance.

Microsoft Azure is the first public cloud with platform and infrastructure services to receive a P-ATO. StoneFly’s Storage in Microsoft Azure maintains a P-ATO at the Moderate-Impact Level. Also, StoneFly’s Storage in Azure Government is granted a P-ATO at the High-Impact Level by the JAB, the highest level for FedRAMP accreditation. This accreditation authorizes StoneFly’s Storage in Azure Government to process highly-sensitive data. The FedRAMP audit of StoneFly’s Storage in Azure Government and Azure includes the information security management system that includes development, infrastructure, management, operations and support for in scope services.

StoneFly has been working with government organizations for the last 2 decades, and have received much appreciation for security and more importantly for Certification and Accreditation or “C&A”. StoneFly and Azure together provide a FedRAMP Certified turnkey solution that offers governance, compliance and data protection solutions for customers in both public and private organizations.

Recent Posts

What to Consider when Implementing DRaaS for ransomware protection

What to Consider when Implementing DRaaS for ransomware protection

According to Gartner, downtime costs more than $5,600 a minute; therefore, every business needs a reliable means of backup and disaster recovery. Disaster Recovery as a service (DRaaS) provides recovery in the cloud and is a cost-effective and highly efficient...

Downtime Cost: How to Calculate and Minimize it

Downtime Cost: How to Calculate and Minimize it

Downtime is bad for business. When applications, data and services are unavailable, business is disrupted, customers and stakeholders are unhappy, and regulatory authorities fine you. The true cost of unplanned downtime goes beyond lost revenue. How does one calculate...

Disaster Recovery as a Service (DRaaS) or On-Site DR Appliance?

Disaster Recovery as a Service (DRaaS) or On-Site DR Appliance?

Disaster Recovery-as-a-Service (DRaaS) delivers serverless recovery capabilities while disaster recovery (DR) appliances provide the on-prem secondary site that facilitates quick recovery. Which of the two is the best fit for you? Both deployment options have their...

FC SAN vs iSCSI SAN: What’s the Difference?

FC SAN vs iSCSI SAN: What’s the Difference?

Storage area networks (SANs) are a permanent fixture in corporate data centers used to host high-performance block-level structured workloads such as databases, applications, etc. If you’re familiar with SAN systems, then you’ve heard of Fibre Channel (FC) and iSCSI...

You May Also Like

Subscribe To Our Newsletter

Join our mailing list to receive the latest news, updates, and promotions from StoneFly.

Please Confirm your subscription from the email