FedRAMP and SOC 2: What’s the Big Difference?

As cloud services have evolved, so has FedRAMP and their security authorization processes. FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. It’s a mandatory certification companies must have if they want to prove their cloud offerings are secure enough for U.S. government data.

Meanwhile, a SOC 2 report is a self-governed review of the security profile and confidentially of the solution/data center. SOC 2 has become the go-to for commercial companies to quickly understand the security profile of a cloud service provider (CSP). Even so, while an SOC 2 provides guidance it does not mandate a standard for a CSP to be measured against.

“FedRAMP recognizes that ISO 27001’s Management Standard and SOC 2 are both respected security regimes within industry, and compliance can indicate that CSPs have security in place.

However, it is important to understand that the Federal Information Security Modernization Act (FISMA) – and by extension, FedRAMP – views security through a different lens than these security regimes. FedRAMP’s assessment is focused on the security of data within a system, and what can impact the security of that data.

ISO and SOC 2 generally focus on how a vendor handles security, and validate whether they follow their stated policies and procedures. FedRAMP’s risk assessment and authorization decision is contingent on the ability of a CSP to adequately scope their authorization boundary to account for the secure management of data within their system.

We recognize this is a shift in how industry may be used to working, and we are committed to supporting CSPs in understanding how to view security from this vantage point and fully understand their authorization boundaries in the context of FISMA.”1

Getting FedRAMP Authorization

To obtain FedRAMP authorization, a CSP must evaluate their current security profile against the FedRAMP standard. Many times, this requires changes to the underlying technology as well as company procedures and policies. Additionally, a CSP must implement continuous monitoring and regular evaluation against this standard to maintain their status.

FedRAMP authorization goes through the FedRAMP Joint Authorization Board. This applies across the Federal Government, or by a single agency which applies only for that agency.

CSPs can self-attest that their solutions meet FedRAMP standards and leverage approved independent 3rd party organizations to audit their compliance and issue attestations.

CSPs, like SAP NS2, who have invested in meeting FedRAMP standards for their solutions, demonstrate that they provide a security profile that meets these standards and have established procedures and policies, that commercial companies desire and should demand, for their cloud based solutions.

The Bottom Line

A SOC 2 report is a measurement against self-established security controls, procedures, and policies, while FedRAMP compliance is a measurement against a standard set of security controls, procedures, and policies established by the Federal Government, based on NIST and FISMA standards.

Commercial companies can leverage the standards created by FedRAMP to improve the security profile delivered by CSPs. FedRAMP establishes a minimum level of security that all CSPs should be measured against.

  1. https://www.fedramp.gov/fedramp-boundary-guidance-industry-response-and-webinar/

Tom Voshell

SAP NS2 Cloud