Perhaps you saw the recent news from Salesforce.com that its Government Cloud has received approval under FedRAMP guidelines to provide platform-as-a-service (PaaS) and software-as-a-service (SaaS) for federal agencies.
But then you asked yourself: Just what the heck is FedRAMP?
Like many government programs, it’s not always easy to understand. But we’ll try to explain the best we can and answer a few more of your questions below.
What is FedRAMP?
The Federal Risk and Authorization Management Program, or FedRAMP, is a government program administered by the General Services Administration (GSA) that “provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.”
What does that mean?
Well, if you’re a cloud service provider (CSP), like Salesforce, basically the government is saying: If you want to do business with us, you have to prove your products and services meet our standards for data security and recovery and other things that are important to us.
When a vendor demonstrates that they meet the FedRAMP standards, they can then provide their approved cloud services to any federal government agency.
And the government is doing this because…?
Because it wants agencies to use more cloud services. In fact, it’s mandating them to do so under a policy known as Cloud First.
But until recently, each individual agency buying cloud services or software was conducting their own security assessments, which meant a lot of redundant and costly extra work for the government and the vendors.
Now, under the FedRAMP program, that security assessment is, in essence, a one-time process. Once you’ve been approved for one agency, you’re approved for all of them.
Salesforce says it has an ATO. What’s that?
ATO stands for “authority to operate.” There are a few different paths to earn FedRAMP approval, and one of those paths is to work closely with a sponsoring agency to get an ATO. Salesforce partnered with the Department of Health and Human Services, and the agency ultimately determined that the Salesforce Government Cloud was complete, consistent and compliant with FedRAMP requirements.
Like we said earlier, approval for one agency means approval for all, so an ATO is a big deal.
What’s the Salesforce Government Cloud?
In 2012, Salesforce launched its own dedicated, multi-tenant instance of Salesforce.com, called the Government Cloud, primarily to meet those all-important federal government security standards, which are outlined in the Federal Information Security Management Act (FISMA).
Functionally, the solutions offered under the Government Cloud are much like those Salesforce sells to commercial customers, except they’re configured for the types of services offered by public agencies, like communicating with its citizens or managing grant and funding requests.
In addition, lots of Salesforce AppExchange partners like us are building apps specifically for public sector use. Our DARS app built on Salesforce1, for example, lets Emergency Management agencies use mobile devices to speed post-disaster damage assessment.
The deadline for agencies to show compliance with FedRAMP standards has come and gone. What’s up with that?
It’s true that all federal agencies that use cloud services were supposed to adopt the FedRAMP standards by June 5, 2014. But most observers say that hasn’t happened, and that the deadline was a soft one. While there are no penalties (so far) for missing the deadline, it has created more urgency at the federal level for agencies to assess their cloud computing needs and to use secure and approved service providers. That’s good news for Salesforce, since it has already cleared the FedRAMP ATO hurdle.