Federal Risk and Authorization Management Program

FedRAMP Overview

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP enables Agencies to rapidly adapt from old, insecure legacy IT to mission-enabling, secure, and cost-effective cloud-based IT.

FedRAMP created and manages a core set of processes to ensure effective, repeatable cloud security for the government. FedRAMP established a mature marketplace to increase utilization and familiarity with cloud services while facilitating collaboration across government through open exchanges of lessons learned, use cases, and tactical solutions.

FedRAMP offers four security baselines to allow government agencies to match security to risk:

  • High (421 controls)
  • Moderate (325 controls)
  • Low (125 controls)
  • Tailored – for Low-Impact SaaS (38 controls)

ORockCloud: Authorized for FedRAMP Moderate

ORock’s core cloud service offering, ORockCloud, is authorized by FedRAMP at the Moderate Impact Level (satisfying FedRAMP requirements for Moderate, Low, and Tailored impact levels). ORockCloud’s authorization includes Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) models as well as Hybrid Cloud deployment.

Initially authorized on June 27, 2018 and assessed by Schellman & Company, an accredited third-party independent assessment organization (3PA0), ORockCloud is listed on the FedRAMP Marketplace under Package ID F1503096502.

ORockCloud is the first and only Red Hat® OpenStack-based cloud, and one of only a handful of federal small businesses, to achieve a FedRAMP Moderate authorization for IaaS and PaaS. This secure, open source cloud provides a highly scalable, bi-coastal environment with elastic, on-demand access to computing, storage, virtualization, networking, performance monitoring, and applications in ORock’s service catalog.

In compliance with FedRAMP guidelines, ORockCloud is managed by US citizens in ORock’s US-based Network Operations Center (NOC) and Security Operations Center (SOC) to maintain the security and performance of ORockCloud and all associated data and applications.

Gain FedRAMP Authorization for Your Commercial Applications

Per an OMB memorandum, any cloud services that hold federal data must be FedRAMP authorized, making compliance with FedRAMP guidelines mandatory for government agencies and Independent Software Vendors (ISVs) that sell applications to federal customers. Executive departments and agencies must submit quarterly reports listing all existing cloud services that do not meet FedRAMP requirements with the appropriate rationale and proposed resolutions for achieving compliance. In addition, many state and local governments also follow FedRAMP guidelines to minimize risk.

ORock developed its Federal Application Authorization Services (FAAS) program to enable ISVs to achieve FedRAMP authorization for Commercial Off-the-Shelf (COTS) applications and deliver them to government customers as compliant SaaS offerings. The FAAS program helps ISVs save time and money on the authorization process while accelerating time to market and reducing risk. Learn more.

Protect Your Data in ORock’s FedRAMP Moderate Cloud

Find out how hosting in ORockCloud helps you comply with FedRAMP requirements.