Metallic is FedRAMP High

Introduced in 2012, the Federal Risk and Authorization Management Program (FedRAMP) is a US government certification program that provides a standardized security assessment for cloud service providers.

FedRAMP offers a common framework for vendors to become authorized to work with US government agencies, and for those agencies to be assured of a standardized security practice to protect their most important strategic asset—their data.

Due to the rapid adoption of cloud technologies, FedRAMP was instituted to provide a repeatable and consistent process for government agencies and cloud service providers. At its core, FedRAMP serves to ensure federal and government data is consistently protected at an acceptable risk level in the cloud through a rigorous and multi-faceted vendor certification process.

FedRAMP is a mandatory requirement for solutions leveraging the public and government clouds to hold federal/state data. For government agencies, FedRAMP accelerates the adoption of cloud technologies, as all cloud service providers must meet rigorous and clearly documented standards to achieve authorization—assuring solutions adhere to proper security protocols.

With FedRAMP, vendors get an overarching program to verify that current cybersecurity and risk management standards required by federal bodies are met.

FedRAMP also applies to the private sector for organizations whose data is sensitive and, if exposed, could potentially result in a national health or security risk. Solutions that meet stringent FedRAMP requirements ensure the same level of controls and protection for their data as for federal government agencies. This is particularly true for businesses operating in highly regulated industries, those that have received federal grants or funding, government contractors, or publicly traded companies.

There are four primary steps in the FedRAMP authorization process:

Partnership establishment: This consists of an authorization kick-off meeting, submission of a System Security Plan (SSP), and a development of a Security Assessment Plan (SAP) from a FedRAMP-approved third party.

Full security assessment: The assessment organization then submits a Security Assessment Report (SAR), based on the findings of the SAP.

Authorization process: The Joint Authorization Board (JAB) approves or denies FedRAMP authorization. FedRAMP-authorized solutions are listed in the FedRAMP Marketplace. Denied solutions are invited to resubmit for authorization.

Continuous monitoring: The FedRAMP-authorized vendor then sends monthly security updates and deliverables to each government agency actively using the cloud service.

There are three FedRAMP security impact levels: Low, Moderate, and High.

The FedRAMP Low Impact Level applies to cloud service offerings (CSOs) that will be used to work with data that is already publicly available.

The FedRAMP Moderate Impact Level applies to CSOs being used for data that is largely not available for public consumption, such as personally identifiable information.

The FedRAMP High Impact Level applies to CSOs being used by agencies that handle the most highly sensitive unclassified government data, such as law enforcement, emergency services, financial systems, and healthcare systems, where a data breach could have catastrophic results. FedRAMP High systems must comply with 421 controls and reduce the probability of human error by automating as many processes as possible.

With Metallic, organizations get a single data protection solution that meets highest US government security standards, providing pristine backup and storage of their data – no matter how sensitive it is. Federal agencies no longer have to manage multiple cloud service providers, but can rely on Metallic as the only vendor certified to bridge this gap, delivering a single solution that comprehensively safeguards sensitive federal data from deletion, corruption, and ransomware attack.