The Federal Risk and Authorization Management Program (FedRAMP) FAQ
Public sector customers, like private enterprises, must perform due diligence on any cloud-based solution to ensure that sensitive data is properly protected, while it’s outside of their direct control and that all other relevant security policies are met. In order to make this simple for U.S. federal agencies, the U.S. Office of Management and Budget created the Federal Risk and Authorization Management Program (FedRAMP).
FedRAMP is an assessment and authorization process which U.S. federal agencies use to ensure proper security controls are in place when accessing cloud computing products and services. FedRAMP provides a single, consistent process for validating cloud services across all U.S. federal agencies, which streamlines the procurement process for many public sector customers and ensures that consistent baseline security policies are used across different agencies.
Cloud computing continues to revolutionize the way businesses and the federal government operate and this includes the need to replace antiquated infrastructure and harness computing power in order to solve complex cybersecurity challenges. Inherently, there are risks with adopting cloud computing and FedRAMP has been established as a mandatory security compliance framework for assessing the risk of cloud computing implementation for federal agencies. FedRAMP applies to all cloud service providers (CSPs) that plan to do business with the federal government.
Yes. As of September 2018, CrowdStrike Falcon® on GovCloud is recognized as “FedRAMP Authorized” on the FedRAMP Marketplace, and in April 2022 CrowdStrike was granted a Provisional Authorization to Operate (P-ATO) at Impact Level 4 (IL-4) through the Defense Information Systems Agency (DISA) Cloud Computing Security Requirements Guidance (CC SRG). CrowdStrike Falcon® on GovCloud was granted P-ATO at Impact Level 5 (IL-5) in May 2023.
Falcon on GovCloud, also referred to as GOV-1, is authorized to operate at the FedRAMP Moderate. This level of authorization is sufficient to meet the requirements of the vast majority of the civilian government and some segments of the Department of Defense as well.
Falcon on GovCloud-1, also referred to as GOV-1, is authorized to operate at Impact Level 4 (IL-4). This level of authorization is sufficient for a broad range of Department of Defense (DoD) and Defense Industrial Base (DIB) customers.
With the launch of GovCloud-2, CrowdStrike is proud to share that it has been granted DoD Impact Level 5 (IL-5) P-ATO and is committed to helping secure National Security Systems (NSS) and agencies and supporting organizations with controlled unclassified information (CUI) that requires this higher level of protection.
CrowdStrike’s FedRAMP Moderate authorization is sponsored by the Department of Commerce’s International Trade Administration (ITA), and our Impact Level 4 (IL-4) authorization is sponsored by the Defense Information Systems Agency (DISA).
For customers who are subject to FedRAMP or DoD Cloud SRG requirements, it greatly simplifies procurement of Falcon solutions and helps agencies improve services by migrating to the cloud. The FedRAMP and DoD cloud authorizations that CrowdStrike maintains and is pursuing are in alignment with the protection of controlled unclassified data as laid out in a variety of compliance programs including FedRAMP, DoD Cloud SRG, and NIST SP 800-171. Meeting these stringent requirements reinforces CrowdStrike’s commitment and ability to serve customers of all types by safeguarding their enterprises with the most effective endpoint protection platform and ultimately stopping breaches. Customers who are not subject to these requirements gain assurance, knowing that the Falcon platform has been audited and validated against some of the strictest security requirements in the world — they can move their endpoint security to the cloud with complete confidence.
CrowdStrike has now been granted authorization to help the Department of Defense and Intelligence Community in protecting National Security Systems (NSS) through our Impact Level 5 P-ATO. CrowdStrike is proud to bring its best-of-breed cybersecurity products and services to these critical customers. For more information on future enhancements, product availability and timelines, please reach out to your local sales representative.
CrowdStrike will be pursuing FedRAMP High authorization for the existing GOV-1 environment. Expected dates for authorization cannot be determined due to various stakeholder influences and other factors. Similarly, CrowdStrike is already prioritized for JAB authorization which we intend to continue pursuing.
For more information:
Read the FedRAMP blog
Contact the CrowdStrike Public Sector Team at 1.888.512.8906 or email publicsector@crowdstrike.com
Download a white paper and learn why Endpoint Security Must Move to the Cloud
