FedRAMP 101: What is FedRAMP Authorization and Why Does it Matter to Federal Agencies?

As the crypto landscape grows increasingly more complex, government agencies need intelligence they can trust to disrupt threat actors that leverage crypto to conduct illicit activity and launder proceeds. Enter: blockchain intelligence.

Blockchain intelligence enhances raw blockchain data with threat intelligence that links on-chain activity with real-world entities, giving federal agencies—including law enforcement, defense, national security, civilian, and regulatory bodies—visibility into real-time financial flows of their respective targets’ financial networks, which are increasingly moving away from traditional currencies to cryptocurrencies. In 2023, the illicit crypto ecosystem was valued at USD 34.8 billion.

There are a number of considerations to keep in mind when choosing the right blockchain intelligence platform to support your agency’s mission. For government agencies, security, compliance, and trust top the list. And blockchain intelligence is also mission-critical for these teams—providing the insights needed to trace and disrupt malicious activity on the blockchain that could destabilize communities, economies, and countries. 

In 2021, the White House passed Executive Order 14028 (EO 14028), which lays out mandates to improve cybersecurity in the United States—including steps agencies must take to protect their mission-critical data. For the organizations that provide mission-critical data to these federal agencies—including TRM Blockchain Intelligence Platform—a key signal that demonstrates compliance with EO 14028 and a commitment to building the most secure solutions possible is the achievement of FedRAMP authorization.

How FedRAMP helps government agencies

Federal Risk and Authorization Management Program (FedRAMP®) authorization is a US government-wide program that standardizes the federal government’s approach to security assessment, authorization, and continuous monitoring of software and cloud products and services. FedRAMP helps government agencies in three key ways:

Standardizing security

The FedRAMP framework provides all government organizations a standardized approach to follow when it comes to assessing the security protocols of software tools, determining their viability as vendors (who will need to handle highly sensitive data and information), and continuously monitoring their performance and reliability.

Streamlining processes

FedRAMP helps reduce the duplication of efforts across federal agencies by allowing a single security assessment to be used by multiple agencies. This enables different government bodies to trust and use the same software across their respective agencies, without having to vet and get the provider listed as an approved vendor multiple times.

Enhancing security

FedRAMP authorization is a measurable way to ensure that software used by federal agencies meets rigorous security requirements. And because organizations have to continuously monitor and prove their adherence to FedRAMP’s security requirements, federal agencies know that they can trust FedRAMP-authorized entities with their mission-critical intelligence.

Key components of the FedRAMP authorization process

The road to earning FedRAMP authorization can take many months—even years—depending on the complexity of the product or service in question. But in general, there are three stages in the authorization process.

Step 1: Security assessment

Software providers or vendors undergo a thorough security assessment conducted by an accredited third-party assessment organization. This assessment evaluates the vendor’s security controls and practices based on FedRAMP's rigorous requirements.

Step 2: Authorization

Once the security assessment is complete, the provider submits the results to the FedRAMP Program Management Office. If the service meets all the necessary requirements, it receives one of these three authorization types from a federal agency or the FedRAMP Joint Authorization Board (JAB):

FedRAMP Ready

Indicates that the provider is prepared to undergo the FedRAMP authorization process. This is a preliminary status that demonstrates the provider has met foundational requirements, but is not yet fully authorized.

FedRAMP Authorized

Indicates that the vendor has successfully gone through the FedRAMP authorization process and meets all required security controls. Organizations who successfully achieve FedRAMP authorization are issued an “Authority to Operate” (ATO) from the agency they’re working with, which formally states that they are able to provide their services to all government agencies. 

There are three main levels of FedRAMP security authorization based on the sensitivity and impact level of the data the provider will handle, each with distinct security requirements and implications: Moderate and High.

• FedRAMP Low is the lowest level of security categorization within the FedRAMP framework. It is designed for providers who provide services for which the risk to organizational operations, assets, or individuals is low, and where the potential impact of unauthorized access or disruption is limited. This authorization level is typically granted to systems that handle data that is designated as “low impact,” according to federal information security standards.
• FedRAMP Moderate is designed for providers that handle data with moderate impact levels—for example, platforms that process, store, or transmit information that could have a moderate adverse effect on an agency’s operations, assets, or individuals if compromised. This level of authorization is suitable for software that deals with non-public information, like sensitive (but unclassified) data. Many federal agencies use moderate-level controls for a range of applications.
• FedRAMP High is intended for providers that handle data with a high impact level—in other words, software and platforms that process, store, or transmit information that could have a severe or catastrophic adverse effect on an agency’s operations, assets, or individuals if compromised. This level of authorization is designed for systems that handle sensitive data such as personal identifiable information (PII), health records, or other types of private information.

FedRAMP JAB Authorization

A special authorization granted by the FedRAMP Joint Authorization Board (JAB), which includes representatives from federal agencies including the General Services Administration (GSA), Department of Defense (DoD), and Department of Homeland Security (DHS). Achieving FedRAMP JAB authorization is an extremely rigorous process and involves a very high level of scrutiny.

Step 3: Continuous monitoring

Once authorized, vendors must continue to “earn” their authorization by ensuring their products and services continue to meet FedRAMP compliance requirements, long after receiving initial authorization. This includes regular security updates, vulnerability assessments, and incident reporting.

TRM’s road to FedRAMP authorization

TRM Labs has invested in a secure FedRAMP compliant environment to ensure your compliance with EO 14028. We’re currently undergoing the 3PAO security assessment and awaiting imminent authorization for FedRAMP Moderate—marking a critical milestone in our journey towards achieving full FedRAMP High authorization later this year.

This move to achieve FedRAMP High authorization underscores our commitment to meeting stringent federal security and compliance standards—enabling us to better serve our federal customers; future-proof our platform for the ever-evolving needs of defense, law enforcement, civilian, and national security agencies; and provide the most secure, reliable solutions that US government clients can depend on for their mission-critical operations. In accordance with EO 14028, our authorization will also enable our federal customers and users to:

• Access mission-critical blockchain intelligence in a secure and compliant cloud environment
• Support agency compliance with EO 14028 by improving their software supply chain cybersecurity
• Keep TRM compliant with ATO requirements, eliminating waivers to reduce reauthorization time, risk, and effort

To learn more about TRM’s journey to achieving FedRAMP authorization, check out this press release.