In December 8, 2011, the CIO of the United States, defined how federal agencies should use Federal Risk and Authorization Management Program (FedRAMP). FedRAMP consists of a subset of NIST Special Publication 800-53 security controls specifically selected to provide protection in cloud environments. A subset has been defined for the FIPS 199 low categorization and the FIPS 199 moderate categorization.

As federal agencies embrace cloud technologies, they must also ensure that the cloud provider, operating system, and applications operate in a secure manner. With that, agencies are supposed to use FedRAMP Authorized Cloud Service Providers. The second facet is to ensure that the system being utilized has been certified and approved.

IBM Maximo is on the FedRAMP Marketplace that will enable you to user the approved System Security Plan (SSP) and only have to be responsible for your network.

The thought process was to develop a framework so that once an agency had invested the effort to certify a platform and/or software package it could be utilized by others without a total rework. This standardized approach would encompass system authorizations, security assessments, and continuous monitoring for cloud developed products and services. FedRAMP is mandatory for all Federal Agency cloud deployments and service models that are operating at the FIPS 199 low, moderate, and high-risk impact levels.

For those agencies already utilizing or wanting to deploy IBM Maximo Asset Management systems, the FedRAMP Program Management Office (PMO) has listed Maximo SaaS offering as “Authorized”. This means that you can move to Maximo SaaS with confidence.


Got more questions? Check out the ITS FedRAMP FAQ.

ITS has experience moving clients to FedRAMP and with the entire security process.  ITS also has CISSP and CGRC certified security personnel that can speak to you about your move to FedRAMP and assist you with your choice of providers.  Contact ITS to discuss your options.