Box and FedRAMP
In 2016, Box has obtained a FedRAMP Marketplace Designation — Authorized at the Moderate impact level, and fast forward to 2022, we are In-Process at the High impact level with the U.S. Department of Veterans Affairs (VA) as our sponsor. And at the agency level, the VA has granted Box a High Authorization to Operate (ATO), which includes an independent assessment of over 421 security controls, allows the VA to expand their use of the Content Cloud for highly sensitive data, such as Personal Identifiable Information, sensitive patient records, financial data, law enforcement data, and other Controlled Unclassified Information (CUI). Therefore, Box meets some of the highest standards for security and compliance during a crucial time when cybersecurity can make or break your organization — especially since the average cost of a data breach in the U.S. is now $9.44M. The Box Content Cloud can help your organization fulfill the Future of Work Initiative, supported by the United States Office of Personnel Management (OPM), which requires government agencies to be efficient and agile to outpace adversaries when it comes to cybersecurity.
Get to know FedRAMP
FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
All U.S. federal agencies are required by Federal Information Security Management Act (FISMA) to procure information systems and services only from organizations that adhere to FISMA requirements. For cloud services, federal agencies adhere by authorizing services that demonstrate their compliance with one of the FedRAMP security baselines.
To achieve a FedRAMP authorization, cloud service providers (CSPs) must undergo an independent security assessment conducted by a third-party assessment organization (3PAO) to ensure authorizations are compliant with FISMA and must maintain continuous monitoring requirements of FedRAMP.
The importance of FedRAMP
FedRAMP enables the federal government to quickly adopt cloud computing by creating transparent standards and processes for security authorizations, while also allowing agencies to leverage security authorizations on a government-wide scale. FedRAMP is mandatory for all executive agency cloud deployments and service models at the Low, Moderate, and High risk impact levels.
Levels are based on the potential impacts of a security breach in three different areas:
- Confidentiality: Protections for privacy and proprietary information
- Integrity: Protections against modification or destruction of information
- Availability: Timely and reliable access to data
The three impact levels of FedRAMP authorizations
The Federal Risk and Authorization Management Program (FedRAMP) was established in 2011 to provide a cost-effective, risk-based approach for the adoption and use of cloud services by the federal government.
Limited adverse effects
Low Impact is most appropriate where the loss of confidentiality, integrity, and availability would result in limited adverse effect on an agency’s operations, assets, or individuals. FedRAMP currently has two baselines for systems with Low Impact data: LI-SaaS Baseline and Low Baseline.
Serious adverse effects
Moderate Impact is most appropriate where the loss of confidentiality, integrity, and availability would result in serious adverse effect on an agency’s operations, assets, or individuals. Serious adverse effects could include operational damage to agency assets, financial loss, or non-life threatening individual harm.
Catastrophic adverse effects
High Impact data is usually in law enforcement and emergency services systems, financial systems, health systems, and any other system where loss of confidentiality, integrity, or availability could have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Does FedRAMP apply to my organization?
FedRAMP is mandatory for all executive agency cloud deployments and service models at the Low, Moderate, and High risk impact levels. Any federal agency that wants to engage a cloud service provider (CSP) may be required to meet FedRAMP specifications. In addition, companies that employ cloud technologies in products or services used by the federal government may be required to obtain an ATO. Please refer to the FedRAMP Policy memo for further information pertaining to FedRAMP’s applicability.
How does my organization become FedRAMP compliant?
There are two approaches to obtaining a FedRAMP Authorization: a provisional authorization through the Joint Authorization Board (JAB) or an authorization through an agency. In the Agency Authorization path, agencies may work directly with a CSP for authorization at any time. CSPs that make a business decision to work directly with an agency to pursue an Authority to Operate (ATO) will work with the agency throughout the FedRAMP Authorization process.
For more information refer to Get Authorized: Agency Authorization.
What agencies already use Box for FedRAMP?
Multiple agencies use Box for their FedRAMP Moderate security needs, including the Department of Education, Internal Revenue Service, Food and Drug Administration, Department of Veterans Affairs, and more. Visit the FedRAMP website to view a complete list of our FedRAMP customers.
What is the difference between FedRAMP and StateRAMP?
Much like FedRAMP was created to provide a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services that store, process and transmit federal information, StateRAMP was designed to do the same for state and local government agencies. In 2022 Box became StateRAMP Moderate Authorized and learn more here.
Does Box comply with the Federal Information Security Management Act (FISMA)?
FISMA is the federal law that requires US federal agencies and their partners to procure information systems and services only from organizations that adhere to FISMA requirements. Most agencies and their vendors that indicate that they are FISMA-compliant are referring to how they meet the controls identified by the NIST in Special Publication 800-53 rev 4. The FISMA process (but not the underlying standards themselves) was replaced by FedRAMP in 2011.
What other government related certifications are there that Box has?
Box is committed to providing our customers a solution that helps them meet and exceed their regulatory and compliance needs and obligations. Within the United States Federal and Department of Defense community, Box has achieved a number of certifications, such as Department of Defense (DoD) Impact Level 4 (IL4), that demonstrate our capabilities and commitment to security. Learn more by visiting the Box Trust Center or read this white paper for more information.