FedRAMP, FISMA, and SOC 2... What's the Difference?

FISMA, FedRAMP, and SOC 2 are common IT Security terms, often bandied around interchangeably by those unfamiliar with what each entails. Many people want to understand the differences between these laws and accreditations. The audits are somewhat similar at face value, but the target audience, requirements, and procedures are substantially different

Even though they each have a purpose and target different groups, they all share a common goal: protecting sensitive data. Check out our guide below to learn about each of these terms and the differences between them. 

What is FedRAMP? 


FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud services. FedRAMP is both a security standard for commercial entities and a business driver to the cloud for Federal agencies. The initiative encourages government agencies to move from traditional datacenter applications into cloud services wherever possible. Using a “do once use many times” approach, a FedRAMP certification allows Cloud Service Providers (CSPs) to sell their cloud offering anywhere within the Federal Government. 


Cloud Service Providers for the United States Federal Government.


In December of 2010, the Office of Management and Budget (OMB) released the 25 Point Implementation Plan to Reform Federal Information Technology Management, which established the Cloud First policy requiring federal agencies to use cloud-based solutions. 

FedRAMP Certification Requirements 

The FedRAMP Security Assessment Framework (SAF) is based on the Risk Management Framework (RMF) that was developed by the National Institute of Standards and Technology (NIST). The only real difference is that the six steps outlined by NIST combine into four process areas:  

  • Document  
  • Assess 
  • Authorize 
  • Monitor 

The Document process area combines steps 1 through 3 of the NIST RMF, and the rest of the process areas are a direct mapping to process steps outlined by NIST. Additionally, FedRAMP uses the Control Tailoring Workbook and Control Implementation Summary, which helps delineate and summarize security responsibilities for CSPs and agencies.

What is FISMA? 


FISMA (or the Federal Information Security Modernization Act) requires every federal agency to develop, document, and implement an agency-wide program to provide information security for the data and systems that support the operations and assets of the agency. These include those provided or managed by another agency, contractor, or other sources. This means that if you sell services to the Federal Government, your services will need to satisfy their FISMA compliance as well. 


The US Government.


With 9/11 and a rapid acceleration in security incidents, the Federal Government signed the E-Government Act in 2002 to provide a small fragment of guidance for securing its IT systems. That law was updated to create the FISMA Act of 2014, with the more robust reporting requirements which federal agencies must comply. 

FISMA Certification Requirements 

The Risk Management Framework (RMF) you must follow will depend on if you’re an agency or a contractor supporting that agency. The NIST 800-171 Special Publication applies to government contractors since it is written to protect controlled government data residing on a non-federal system. NIST 800-53 is written for the same purpose but is intended for the agency-owned systems.  

What is SOC 2?


SOC 2 is a framework for information security that organizations willingly submit to prove to their clients that they have an acceptable level of internal security when it comes to storing sensitive customer information. The SOC 2 framework is often used to comply with HIPAA and GDPR. 


SaaS vendors and any other organization storing customer data in the cloud 


Born out of financial auditing, SOC 2 developed organically to report on the information security controls within an organization. It’s adapted to fit the needs of many commercial organizations that need to prove to a standard that they have. 

SOC 2 Certification Requirements 

The policies, procedures, and documentation that must be provided for SOC 2 compliance are called the Common Criteria, a lighter RMF than FedRAMP, NIST 800-53, or NIST 800-171. 

Security and Compliance Expertise 

Understanding the terminology is the first step to getting started with compliance certifications and frameworks. With over a decade in helping both federal and commercial clients with their compliance needs, we specialize in transferring knowledge to your organization, setting you up for successful audits, and increasing your overall security posture.  

Check out the additional resources below and contact us for more information: 

FedRAMP and 3PAO Services > 

Governance, Risk, and Compliance > 

Vulnerability Management > 

Top 4 Reasons you Need FedRAMP Certification > 

More from Our Cybersecurity Experts