FedRAMP Marketplace: Agency Guide

The FedRAMP Marketplace is the official online repository of Cloud Service Offerings (CSOs). It provides a convenient, one-stop shop for Federal Agencies to find FedRAMP Authorized cloud services. The FedRAMP program standardizes the security authorization process and assigns security Impact Levels for each cloud service. FedRAMP is mandatory for all federal agency cloud deployments. Agencies can then buy authorized software without going through the full authorization process. All Agencies should first use existing authorized products before investing resources to help a vendor get its software authorized.

The marketplace has wealth of information on all participants and offerings. Agencies can find it overwhelming to find the right software or service. Use this extensive companion guide to understand how to use the marketplace and pick the best cloud product.

Understand The FedRAMP Program

The first step is to learn how the FedRAMP Program works. FedRAMP is mandatory for all agencies that use cloud products. This program standardizes the security authorizations of products. The benefit is that it removes duplicate efforts across the government. So Agencies can buy such authorized products knowing that they meet specific security requirements.

Keep in mind that the each Agency must still individually authorize each product that they use. The benefit of using an authorized product is that the process is much simpler. The Agency does not need to go through the complete security assessment and process. A full process requires significant time and resources. Instead, it can re-use the authorization. That means the Agency can conduct a review of an existing security assessment. If it satisfies the Agency’s needs, then it can issue an Authority To Operate (ATO) and deploy the software.

Understand Your Agency’s Needs

There are a wide variety of available options. So it’s important to know what your organization needs. Here are some questions to ask:

  • What problem are you trying to solve? Improving efficiency and costs? Replacing old technology?
  • Does your use case involve sensitive information or content?
  • Do you need cloud tools or server infrastructure for custom apps?
  • Who are the end users? Employees who need to streamline their work? Developers that need specific tools or infrastructure?
  • What are your security requirements?
  • What are your budget expectations?

There are three broad types of software on the marketplace:

  • SaaS: Software as a Service. These are apps mainly for end users. An example would be federal employees using Box to share and edit files. The provider is responsible for managing the entire infrastructure.
  • PaaS: Platform as a Service. Platforms help manage underlying server infrastructure. They provide a development framework or tools for developers to build and run their applications. One example Appian, where developers can use its tools to build custom apps.
  • IaaS: Infrastructure as a Service. These providers offer cloud infrastructure and services such as compute, storage and networking. An example is IBM Cloud for Government. The Agency would be responsible for managing and deploying infrastructure assets.

Detailed table of the three types of cloud products offered on the FedRAMP Marketplace.

Examples of SaaS, PaaS, and IaaS options on the FedRAMP Marketplace

If you’re unsure of which fits best, figure out who the user of the product would be. Is it a developer who will be coding with software tools or managing infrastructure? Or is it a employee who need user-friendly software to help their day-to-day tasks? Information workers would more likely use products in the SaaS category. PaaS/IaaS is more geared towards developers.

Understand Your Security Requirements

It’s important to understand the risks for your use case. The FedRAMP program uses FIPS 199to categorize software across three attributes (Confidentiality, Integrity, Availability) by Impact Levels: Low, Moderate, and High.

Here’s a question: if the software and underlying data were breached or disrupted, what effect would it have on your agency? FIPS 199 defines impact as Limited, Serious, or Catastrophic. These respectively correspond to the Low, Moderate, and High Impact Levels. In practice, there are a minimum set of security controls to reach each level. Low requires 125 controls; Medium requires 325 controls; High requires 421 controls.

There is also a new fourth Impact Level called LI-SaaS. This is a lightweight security level under the FedRAMP Tailored program. This only requires 37 controls and has specific limitations. For example, software under this category cannot use any PII (personally identifiable information).

For most Agencies, Moderate Impact Level is sufficient for a broad set of use cases. Most SaaS products fall under this category today.

Where Should Agencies Start First?

There are over 200 Authorized products on the marketplace. Unless you know exactly what you’re looking for, the best approach is to explore products that have the broadest impact.

1. Secure Your Content and Data In The Cloud

Every Agency has sensitive and confidential content. Every employees need a very secure, but dead simple interface to share files. But many use outdated, hard-to-use file systems, clunky software or email to share and edit files. They may even circumvent security protocols when faced with poor interfaces. So it’s important to drive security compliance while boosting employee productivity. Keeping content safe is the top priority for Agencies when moving to the cloud. So this is the first purchase decision to make.

Many Agencies use a content cloud solution such as Box. Box has more FedRAMP authorizations as compared to other independent productivity-focused companies. It has 40%+ more authorizations than Slack, the next biggest provider. The Box platform provides Agencies high security with advanced enterprise controls. There are also options to add deep malware file protection and full AI-based governance and compliance controls. Just as important, federal employees love the simple interface. There are productivity features such as eSignature, contract management and advanced collaboration. Finally, developers build apps on top of Box by using it as the platform layer for files and content. There are multiple FedRAMP products that depend on Box for their product to function.

2. Move Infrastructure To The Cloud

Many Agencies have apps that run on premise infrastructure. Unless your Agency has huge scale and resources, it almost always makes sense to use cloud infrastructure. The cost of maintaining datacenters is higher when considering total hardware, software and employee labor costs. The transition is takes time, but the payoff is big.

Here you need to be deliberate in picking a vendor(s). The most common cloud infrastructure providers include AWS, Google Cloud, Microsoft Azure, IBM and Oracle. Negotiate costs with each vendor and see which partner is best for your digital transformation. Ideally your applications are platform agnostic. But the reality is that developers often design their apps using the provider’s specific APIs and services, so it can be difficult to switch over.

3. Use This Guide To Explore The Marketplace

The FedRAMP Marketplace continues to grow every month. Explore what products have authorization and see if they meet a significant need in your organization. Does it replace an old technology and provide significant ROI? Will it provide advanced technology that will accelerate your digital transformation?

There are many cases where employees are already using a FedRAMP product. If so, it is easy to comply with the FedRAMP regulations.

4. Work With A Vendor To Get FedRAMP Authorized

Need a cloud product that is not on the marketplace? You have the option to sponsor a company to help get their product FedRAMP Authorized.

Do I Need To Buy FedRAMP Authorized Infrastructure To Run FedRAMP Authorized SaaS or PaaS Products?

No. Any FedRAMP Authorized SaaS or PaaS product that sits on a FedRAMP Authorized infrastructure inherits the security controls of that infrastructure. Many SaaS products run on a FedRAMP Authorized public cloud infrastructure. So there is no need purchase additional services.

However, the Authorization doesn’t work conversely. For example, running an app on AWS GovCloud doesn’t automatically give that app Authorized status. The app itself must go through an authorization process.

I’m a State or Local or non-US Government Agency. Can Non-Federal Agencies Benefit From FedRAMP?

Absolutely. Whether you’re a State or Local agency or a non-US government agency, you can still benefit from FedRAMP products. FedRAMP has some of the strictest security requirements in the world. Cloud providers must invest heavily to meet those standards. Many of those security benefits pass on other customers. 

The PMO publicly publishes all security controls requirements associated for each impact level. For example, getting Moderate designation requires 325 security controls. So any entity, government agency or corporation can view this public list and see if it satisfies their needs.

You can’t directly participate in the FedRAMP program unless you are a federal agency. For example, only federal agencies can request to review the product’s security package. However, FedRAMP encourages State and Local governments to directly request security packages and information from the cloud provider. They can adopt and accept these packages for their own needs. In many cases, FedRAMP satisfies requirements for non-federal agencies.

If you’re a non-US government agency such as a European Union or UK agency, you can also benefit from a cloud provider that is FedRAMP Authorized. The program requires certain data and privacy protection requirements as many agencies deal with citizen data. Often these providers have also invested in GDPR compliance and other data processing requirements worldwide. So non-US agencies should always explore FedRAMP software products first.

FedRAMP Marketplace Sections

There are three sections to explore: Products, Agencies and Assessors

FedRAMP Marketplace divided into three sections: Products, Agencies, and Third-Party Assessors (3PAO)

1. Products

Products will list every cloud product that is actively part of the FedRAMP program. Each product will have one of three designations: FedRAMP Authorized, FedRAMP In Process, and FedRAMP Ready. Agencies should explore Authorized products to purchase software. In Process signals that the provider is actively pursuing an authorization process. Ready indicates that the product has a high likelihood of achieving authorization But it has not formally entered the process.

2. Agencies

This section lists all Federal Agencies that are using FedRAMP Authorized products. It details the number of products and which specific products used.

3. Assessors

The Assessors section contains all Third Party Assessment Organizations (3PAO). Assessors evaluate products on whether they meet the security requirements of the FedRAMP program. The Cloud Service Provider (CSP) contracts an Assessor for the process. So Agencies do not need to explore this section.

Filtering and Search Tips for FedRAMP Products

Filtering Criteria For FedRAMP Products

Filtering is the first step to quickly narrow down your search for the right product. The marketplace allows you to filter across eight different attributes. The left pane has a search function and a simple filtering menu.

Instructions on how to filter product options on the FedRAMP Marketplace

The left pane on the FedRAMP Marketplace allows users to filter across multiple product options.

  • Status: Authorized, In Process, or Ready. Agencies should select ‘Authorized’ to find approved providers.
  • Authorization Type: Filter whether the product first received authorization from the JAB or an Agency. Choosing based on this doesn’t matter as all authorizations are equally valid.
  • # of Products Authorized: Group by number of Authorizations each product has received. This indicates how many agencies are actively using the product.
  • Service Model: IaaS, PaaS, SaaS. This selection largely depends on what the Agency is looking for.
  • Deployment Model: Government Community Cloud, Hybrid Cloud, Public Cloud. This indicates how and where the specific cloud product is deployed.
  • Agencies: Selecting an Agency will show which FedRAMP products it is using.
  • Impact Level; High, Moderate, Low, LI-SaaS. These filter products by their security levels. The impact level corresponds to the level of security and risk required by the Agency. High would be appropriate for protecting information that would result in catastrophic effects if breached. In practice, most products with Moderate designation will satisfy most needs.
  • Providers: Shows what products are offered by the selected cloud provider.

Sorting FedRAMP Products

There are also options to sort products by Name, Service Model, Impact Level, and # of Authorizations. Use the filters first to narrow down the selection. Then you can sort by # of Authorizations to see the most popular FedRAMP products.

How to sort products on the FedRAMP Marketplace

Click on the filter functions at the top of the navigation to sort products.

Find Detailed Product Information

Clicking on any product will open a window with detailed information. 

How to find detailed information on a FedRAMP Product

The product information page provides a wealth of FedRAMP information for specific products

Here you can view when the product applied for FedRAMP Authorization and if/when it received its first authorization. You can also find detailed information such as a product description, impact level, deployment model, service model, the 3PAO partner, and contact details.

How to find which agencies are using a particular FedRAMP product

Be sure to see which agencies and other companies are using the product as a signal of a product’s popularity

There are two interesting areas to also look for: ‘Dependent Products’ and ‘Agencies using this service’.

  • Dependent Products refer to other companies who have dependencies on the specific product. For example, under the Box product page, it lists that DocuSign Federal has dependencies on the Box. If you see a product that is a platform for others, then it’s a good sign that it is a strong platform that other FedRAMP products build upon.
  • Agencies using this service will list out every specific agency that has authorized the product and is actively using it. This can be helpful as it may reveal that a close partner agency is using the product and that it may fit your needs. Also, a product with more authorizations is a product that has been vetted more frequently and likely to be impactful in your own agency.

Download the Raw Data

The Marketplace features an option to export marketplace data in a CSV file. It has a subset of information of what’s displayed on the website. But it provides a format where users can create their own pivot tables using a spreadsheet program.

Find Products Your Agency Is Using Right Now

The Agencies section displays every FedRAMP product a federal agency is using today. Clicking on a specific name will display the active products authorized with that specific agency.

How to find all the FedRAMP products a specific federal agency is using

Is your agency on the leading-edge of cloud adoption? The number of authorizations gives a metric of how much cloud adoption is occurring at each agency. For example, the Department of Health and Human Services is the leading agency of FedRAMP usage based on number of products. They are a very forward organization in terms of cloud adoption.

Are Your Employees Using A FedRAMP Product Already?

Officially, agencies must use the FedRAMP program to use cloud products. Yet, a requirement for products pursing authorization is that there must be demand for the product. The best way to show that is if the agency has employees already using the product. So it’s common for employees to be using cloud products before obtaining authorization. This is happens frequently with wide-use applications such as Box or Slack. Box is especially popular across agencies given its advanced security features. Rather than trying to manage individual employee accounts, agencies should deploy the software across the organization. Then it can standardize its security and comply with FedRAMP regulations. It’s even easier if the product is already FedRAMP Authorized.

I Don’t See A Product I Need on The Marketplace. What Should I Do?

First, consider existing alternatives that are already FedRAMP Authorized. Using an existing product is much easier. 

If you need to use a product that is not authorized, you must sponsor the company under a full process. The Authorization to Operate (ATO) process can take 4-5 months. This assumes that the product already satisfies many of the security controls. You should not apply unless there is a high chance of success. Agencies commit that the process finish within 12 months (or 3 months if applying for FedRAMP Tailored).

The first step is to have the cloud provider work with a third-party assessor to get FedRAMP Ready. This designation is not required, but having this means that the product has a higher chance of succeeding. The provider has done preliminary audits including the Readiness Assessment Report. Almost all applications go through this route as it shows a strong commitment to the PMO (Program Management Office). The Ready status is valid for one year. Also note that this step is only for Moderate and High Impact Levels. 

Then your agency will work with the cloud provider for a full security assessment and authorization process. Once the PMO approves the authorization, the agency can deploy the software.

What Else Do I Need To Know About The Marketplace?

Each agency must issue its own authorization when it wants to use a FedRAMP product. FedRAMP ensures that a product meets its assigned security impact level. But it’s the agency’s responsibility to make sure that the product fits its own security needs. 

Also note that the certification is not a one-time process. FedRAMP requires continuous monitoring protocols and annual security assessments. The cloud provider handles most of these and can provide monthly updates uploaded to the repository. 

I’m Ready To Buy a FedRAMP Product. What Do I Do Next?

Once you found the product that fits your needs, the next step is to submit a request to review its FedRAMP security package. At the same time reach out to the company to understand how their product will address your needs. See if the product can fit within your budget. Then you can proceed to pursue a re-use of an authorization using this agency guide.

Need more guidance? Speak to Box and we will walk you through how easy it is to get Box authorized with your agency.