Box and FedRAMP
In 2016, Box has obtained a FedRAMP Marketplace Designation — Authorized at the Moderate impact level, and fast forward to 2022, we are In-Process at the High impact level with the U.S. Department of Veterans Affairs (VA) as our sponsor. And at the agency level, the VA has granted Box a High Authorization to Operate (ATO), which includes an independent assessment of over 421 security controls, allows the VA to expand their use of the Content Cloud for highly sensitive data, such as Personal Identifiable Information, sensitive patient records, financial data, law enforcement data, and other Controlled Unclassified Information (CUI). Therefore, Box meets some of the highest standards for security and compliance during a crucial time when cybersecurity can make or break your organization — especially since the average cost of a data breach in the U.S. is now $9.44M. The Box Content Cloud can help your organization fulfill the Future of Work Initiative, supported by the United States Office of Personnel Management (OPM), which requires government agencies to be efficient and agile to outpace adversaries when it comes to cybersecurity.
Get to know FedRAMP
FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
All U.S. federal agencies are required by Federal Information Security Management Act (FISMA) to procure information systems and services only from organizations that adhere to FISMA requirements. For cloud services, federal agencies adhere by authorizing services that demonstrate their compliance with one of the FedRAMP security baselines.
To achieve a FedRAMP authorization, cloud service providers (CSPs) must undergo an independent security assessment conducted by a third-party assessment organization (3PAO) to ensure authorizations are compliant with FISMA and must maintain continuous monitoring requirements of FedRAMP.
The importance of FedRAMP
FedRAMP enables the federal government to quickly adopt cloud computing by creating transparent standards and processes for security authorizations, while also allowing agencies to leverage security authorizations on a government-wide scale. FedRAMP is mandatory for all executive agency cloud deployments and service models at the Low, Moderate, and High risk impact levels.
Levels are based on the potential impacts of a security breach in three different areas:
- Confidentiality: Protections for privacy and proprietary information
- Integrity: Protections against modification or destruction of information
- Availability: Timely and reliable access to data
The three impact levels of FedRAMP authorizations
The Federal Risk and Authorization Management Program (FedRAMP) was established in 2011 to provide a cost-effective, risk-based approach for the adoption and use of cloud services by the federal government.
Limited adverse effects
Low Impact is most appropriate where the loss of confidentiality, integrity, and availability would result in limited adverse effect on an agency’s operations, assets, or individuals. FedRAMP currently has two baselines for systems with Low Impact data: LI-SaaS Baseline and Low Baseline.
Serious adverse effects
Moderate Impact is most appropriate where the loss of confidentiality, integrity, and availability would result in serious adverse effect on an agency’s operations, assets, or individuals. Serious adverse effects could include operational damage to agency assets, financial loss, or non-life threatening individual harm.
Catastrophic adverse effects
High Impact data is usually in law enforcement and emergency services systems, financial systems, health systems, and any other system where loss of confidentiality, integrity, or availability could have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Does FedRAMP apply to my organization?
How does my organization become FedRAMP compliant?
What agencies already use Box for FedRAMP?
What is the difference between FedRAMP and StateRAMP?
Does Box comply with the Federal Information Security Management Act (FISMA)?
What other government related certifications are there that Box has?
Learn more about Box’s approach to security and compliance
Accelerate validation in the cloud with always-on testing
Find out how to connect a mobile workforce and retire paper-based processes with Box.
Discover how we approach Security and Compliance
We're dedicated to earning and keeping our customers' trust — every day.
Box for Veterans Affairs
Learn how the U.S. Department of Veterans Affairs uses Box’s Content Cloud