Data security
Chris Masterson

Understanding FedRAMP and Its Relationship with Procurement

  • All Industries
  • Blog
  • Manufacturing
  • Procure to Pay
  • Public Sector
  • Source to Pay

The Federal Risk and Authorization Management Program (FedRAMP) has become more and more of a talking point in the world of procurement. At JAGGAER, we’ve made a commitment to achieving FedRAMP compliance as a cloud services provider. FedRAMP demands high levels of information security, and as JAGGAER’s Head of Security Andrew Hutchison said, “Our world today is data-driven, and we’re dedicated to ensuring we build a trusted environment where customers feel confident that their information will be secure, private, and accessible.”

So what exactly is FedRAMP, what are the essential elements, who’s it intended for, and what does it have to do with procurement?

What is FedRAMP?

FedRAMP is designed to promote the adoption of secure cloud services across the U.S. government. The program provides a standardized approach to security and risk assessment. FedRAMP is required for all Executive Agencies by federal law. In total, 159 government organizations were participating in FedRAMP as of 2019. The program includes hundreds of control areas, such as encryption, authentication, vulnerability scanning and more.

FedRAMP increases confidence in government systems and provides expanded transparency between government agencies and application providers.

What are the FedRAMP levels?

There are four main authorization levels for cloud services. The first is Tailored for LI-SaaS. This applies to low-risk use cases and includes authorization on 36 separate controls. The other three authorization levels directly relate to the potential impact level of a data breach. To start, low authorization level has 125 controls. This is intended for applications that don’t store personal information beyond what’s necessary for login, and will have minimal impacts on government operations if there were to be a security breach. These systems typically only hold information that is already publicly available. Moderate authorization applications – used for cloud services that would have serious adverse effects on agency operations if breached. The moderate baseline includes 325 controls and accounts for about 80% of federally used cloud services. Finally, high security applications have 421 controls and are typically vital services like healthcare, finance, or law enforcement information systems.

What is FedRAMP ATO? How is it different from FedRAMP Ready?

FedRAMP ATO stands for Authority to Operate. In short, this is a FedRAMP certification that allows government agencies to work with the authorized provider. This means that the provider has demonstrated the necessary FedRAMP controls, and also that they have the appropriate processes in place for continuous monitoring to maintain security.

FedRAMP Ready, on the other hand, is a designation that a certified Third-Party Assessment Organization has reviewed a given cloud provider’s systems and that they are capable of meeting the FedRAMP standards. In short, a cloud provider has partnered with a third-party assessor and has completed a readiness assessment but has not yet received ATO accreditation from FedRAMP. Many organizations seek to receive Ready designation before pursuing ATO status.

Who needs FedRAMP?

FedRAMP is crucial for any cloud service offerings that are used by the federal government of the United States. If you hold any federal data, your system must be FedRAMP authorized. While some government agencies, like the Department of Defense, may have additional requirements for cloud solutions, FedRAMP serves as the basis and is a consistent requirement.

FedRAMP and Procurement

Historically, the public sector has sometimes lagged behind private organizations in adopting new software systems, and procurement is no exception. But times are changing, and more and more government organizations are turning to digital procurement platforms to drive taxpayer savings and increase internal efficiency.

For the federal government, of course, this creates the need for FedRAMP-authorized procurement tools. That’s why JAGGAER is committed to not only meeting but exceeding the requirements of the federal government for our leading procure-to-pay tools. For decades we’ve helped public organizations around the world improve their procurement processes and achieve savings. As we work toward FedRAMP authorization, we look forward to doing the same for federal agencies.

FedRAMP will be added to JAGGAER’s long list of privacy and security certifications including ISO and SOC reports. To learn more about how JAGGAER prioritizes protecting your business data, visit our Trust Center.

Related Blog Posts