Box is FedRAMP Moderate Authorized

Box meets key requirements for handling sensitive U.S. Government data

FedRAMP authorization details

Box and FedRAMP

In 2016, Box has obtained a FedRAMP Marketplace Designation — Authorized at the Moderate impact level, and fast forward to 2022, we are In-Process at the High impact level with the U.S. Department of Veterans Affairs (VA) as our sponsor. And at the agency level, the VA has granted Box a High Authorization to Operate (ATO), which includes an independent assessment of over 421 security controls, allows the VA to expand their use of the Content Cloud for highly sensitive data, such as Personal Identifiable Information, sensitive patient records, financial data, law enforcement data, and other Controlled Unclassified Information (CUI). Therefore, Box meets some of the highest standards for security and compliance during a crucial time when cybersecurity can make or break your organization — especially since the average cost of a data breach in the U.S. is now $9.44M. The Box Content Cloud can help your organization fulfill the Future of Work Initiative, supported by the United States Office of Personnel Management (OPM), which requires government agencies to be efficient and agile to outpace adversaries when it comes to cybersecurity.

Get to know FedRAMP

FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. 

All U.S. federal agencies are required by Federal Information Security Management Act (FISMA) to procure information systems and services only from organizations that adhere to FISMA requirements. For cloud services, federal agencies adhere by authorizing services that demonstrate their compliance with one of the FedRAMP security baselines. 

To achieve a FedRAMP authorization, cloud service providers (CSPs) must undergo an independent security assessment conducted by a third-party assessment organization (3PAO) to ensure authorizations are compliant with FISMA and must maintain continuous monitoring requirements of FedRAMP. 

Source: FedRAMP

The importance of FedRAMP

FedRAMP enables the federal government to quickly adopt cloud computing by creating transparent standards and processes for security authorizations, while also allowing agencies to leverage security authorizations on a government-wide scale. FedRAMP is mandatory for all executive agency cloud deployments and service models at the Low, Moderate, and High risk impact levels.


Levels are based on the potential impacts of a security breach in three different areas:

  • Confidentiality: Protections for privacy and proprietary information
  • Integrity: Protections against modification or destruction of information
  • Availability: Timely and reliable access to data

Source: FedRAMP 

The three impact levels of FedRAMP authorizations

The Federal Risk and Authorization Management Program (FedRAMP) was established in 2011 to provide a cost-effective, risk-based approach for the adoption and use of cloud services by the federal government.


Limited adverse effects

Low Impact is most appropriate where the loss of confidentiality, integrity, and availability would result in limited adverse effect on an agency’s operations, assets, or individuals. FedRAMP currently has two baselines for systems with Low Impact data: LI-SaaS Baseline and Low Baseline.

FedRAMP Moderate
FedRAMP Moderate

Serious adverse effects

Moderate Impact is most appropriate where the loss of confidentiality, integrity, and availability would result in serious adverse effect on an agency’s operations, assets, or individuals. Serious adverse effects could include operational damage to agency assets, financial loss, or non-life threatening individual harm.

FedRAMP High
FedRAMP High

Catastrophic adverse effects

High Impact data is usually in law enforcement and emergency services systems, financial systems, health systems, and any other system where loss of confidentiality, integrity, or availability could have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.


Does FedRAMP apply to my organization?
How does my organization become FedRAMP compliant?
What agencies already use Box for FedRAMP?
What is the difference between FedRAMP and StateRAMP?
Does Box comply with the Federal Information Security Management Act (FISMA)?
What other government related certifications are there that Box has?

Learn more about Box’s approach to security and compliance

federal building
Accelerate validation in the cloud with always-on testing

Find out how to connect a mobile workforce and retire paper-based processes with Box.

Read datasheet
industry compliance
Discover how we approach Security and Compliance

We're dedicated to earning and keeping our customers' trust — every day.

Visit Box Trust Center
Department of Veterans Affairs USA
Box for Veterans Affairs

Learn how the U.S. Department of Veterans Affairs uses Box’s Content Cloud

Read blog

Ready to get started?