Are you wondering what is FISMA vs FedRAMP? In a nutshell, a FedRAMP certificate proves that a cloud-based service or product has been approved for use by US federal agencies. In other words, FedRAMP is a security control for cloud service providers. FISMA, on the other hand, is an IT and data security mandate that applies specifically to government agencies and their contractors. It is a set of standardized guidelines which outline how to store and process sensitive data.
In this blog, we’ll talk you through FISMA vs FedRAMP and help you better understand your compliance requirements. We’ll cover:
What is the difference between FedRAMP and FISMA?
What is FISMA compliance?
What is FedRAMP?
How to choose a secure cloud-based solution for US government
Ultimately, while FISMA provides instructions to federal agencies on how to ensure digital files and information are safe, FedRAMP guides government agencies on how to choose a secure cloud-based service provider that will protect sensitive government data.
Both mandates have the same ultimate goal: to protect sensitive government data from cyber security threats. They both derive their guidelines from the NIST 800-53 publication, which is a catalog of security and privacy controls for all US federal information systems and organizations—apart from systems related to national security.
FISMA originally came into force in 2002 in what was known as the ‘Federal Information Security Management Act’. Drafted specifically for federal agencies, the Act arose out of a growing need to protect federal information systems from security threats. It was a set of standardized guidelines and security controls relating to the storage and processing of sensitive data.
As defined in FISMA 2002, "[t]he term ‘Federal information system’ means an information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency."
On December 18, 2014, former President Obama signed a new law to reform and modernize FISMA. It became the ‘Federal Information Security Modernization Act of 2014’. The reform grew out of a need to better tackle the increasing number of cyber-attacks on US government agencies and departments. It calls for
FISMA 2014 also formally codifies the Department of Homeland Security (DHS) as accountable for ensuring the government’s compliance with federal information security policies. While FISMA 2002 gave full responsibility to the Office of Management and Budget (OMB) for government-wide compliance, FISMA 2014 makes both the OMB and the DHS accountable.
On 25 January 2022, a new bill was introduced to the US government to reform FISMA. FISMA 2022 aims to improve the federal government’s cyber security in the wake of several high-profile cyberattacks, including SolarWinds and the Microsoft Exchange Server hack, as well as liabilities discovered in common Apache Log4j software.
If passed, the FISMA 2022 law would
"The federal government maintains extensive public records containing sensitive information on all Americans and businesses. Recent cyberattacks make it clear we need a modern update to the federal government’s cybersecurity practices to better protect against, quickly fix, and deter future damaging digital intrusions that can harm our economy and impact Americans’ daily lives."~ Rep. James Comer, who introduced the bill alongside Rep. Carolyn B. Maloney in January 2022.
FedRAMP stands for the Federal Risk and Authorization Management Program. It is a cyber-security risk management program relating to the purchase of external cloud services and products for US government.
Only cloud service providers (CSPs) with FedRAMP certification may work with government agencies. FedRAMP signals that a CSP’s services and products have officially been deemed safe for federal agencies and their contractors to use.
FedRAMP was implemented by the OMB in 2011 in response to the government’s 2011 Cloud First Policy. The policy was designed to accelerate the pace by which federal agencies could adapt cloud services and, as a result, improve operational efficiency.
If a federal agency looks to purchase a new solution, such as a secure file sharing tool for U.S. government, or a collaborative workspace for government and public sector organizations, the FedRAMP stamp of approval provides a high level of assurance that it's a secure system to use.
Cloud-based service providers who want FedRAMP certification must pass a security assessment by a 3PAO (a third-party assessment organization).
If you work for a federal agency, or are contracted to work for one, you’re legally required to use a cloud collaboration and file sharing solution that has the FISMA and FedRAMP seal of approval.
Did you know that Huddle was the first ever government collaboration solution to achieve FedRAMP status? U.S Government Agencies and Contractors use Huddle as the most trusted solution for sharing and managing documents, coordinating multi-agency projects and working with private-sector partners.
“Huddle provides a single place that everyone, from administrative staff in Washington D.C to local aid workers using a mobile device, can access and share the information that they need.” USAID