BioTrackTHC FedRAMP Authorization 2017-05-14T22:46:36+00:00

BioTrackTHC and FedRAMP


FedRAMP Logo


BioTrackTHC recently became the first company in the history of the Cannabis industry to offer a FedRAMP Authorized environment for its state Traceability Systems, the highest level of cloud security in the world.

By meeting all necessary requirements and going through a thorough vetting process, BioTrackTHC was  granted usage rights to the Amazon Government Cloud (AWS GovCloud), which, “is an isolated AWS region designed to host sensitive data and regulated workloads in the cloud, helping customers support their U.S. government compliance requirements, including the International Traffic in Arms Regulations (ITAR) and Federal Risk and Authorization Management Program (FedRAMP).”

BioTrackTHC Icon

What is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

Why is BioTrackTHC FedRamp Authorized?

By participating in FedRAMP, BioTrackTHC is able to offer our partners a secure cloud-based data storage solution on par with the largest organizations in the world, including NASA and the Department of Defense.  Traceability systems house info coming in directly from the state Department of Health, including patient data and patient records.  Ensuring safety and security of this information is our absolute highest priority.  By becoming FedRAMP authorized, BioTrackTHC is in the unique position to offer its state traceability clients the most secure cloud security available.

Who will have access to Traceability System data?

While FedRAMP authorized environments are qualified and regulated by the US Government, this does not mean the data stored there is accessible by government agencies.  On the contrary, it means that the data housed there will be made inaccessible unless an individual or agency is able to provide the proper security keys, which are exclusively held by BioTrackTHC executives and their security team.

“Security is the absolute highest priority for BioTrackTHC.  There’s patient data in there; information coming in directly from the Department of Health, so maintaining this high level of security remains a top priority.  What we follow is C.I.A. – Confidentiality, Integrity and Availability.  If a system goes down, we have encrypted backups on hand that remain private and confidential, but with the proper security keys, they can be put into place in a matter of minutes in the unlikely event of an emergency.”

David Terrell, CTO, BioTrackTHC

More information on FedRAMP

The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework that saves an estimated 30-40% of government costs, as well as both time and staff required to conduct redundant agency security assessments. FedRAMP is the result of close collaboration with cybersecurity and cloud experts from the General Services Administration (GSA), National Institute of Standards and Technology (NIST), Department of Homeland Security (DHS), Department of Defense (DOD), National Security Agency (NSA), Office of Management and Budget (OMB), the Federal Chief Information Officer (CIO) Council and its working groups, as well as private industry.

FedRAMP Goals

  • Accelerate the adoption of secure cloud solutions through reuse of assessments and authorizations
  • Increase confidence in security of cloud solutions
  • Achieve consistent security authorizations using a baseline set of agreed upon standards to be used for cloud product approval in or outside of FedRAMP
  • Ensure consistent application of existing security practice
  • Increase confidence in security assessments
  • Increase automation and near real-time data for continuous monitoring

FedRAMP Benefits

  • Increase re-use of existing security assessments across agencies
  • Save significant cost, time, and resources – “do once, use many times”
  • Improve real-time security visibility
  • Provide a uniform approach to risk-based management
  • Enhance transparency between government and Cloud Service Providers (CSPs)
  • Improve the trustworthiness, reliability, consistency, and quality of the Federal security authorization process

FedRAMP Partners

There are three main players in the FedRAMP process: Agencies, CSPs, and Third Party Assessment Organizations (3PAOs). Agencies are responsible for selecting a cloud service, leveraging the FedRAMP Process, and requiring CSPs to meet FedRAMP requirements. CSPs provide the actual cloud service to an Agency, and must meet all FedRAMP requirements before they implement their services. 3PAOs perform initial and periodic assessment of CSP systems per FedRAMP requirements, provide evidence of compliance, and play an on-going role in ensuring CSPs meet requirements.  FedRAMP provisional authorizations (P-ATOs) must include an assessment by an accredited 3PAO to ensure a consistent assessment process.

FedRAMP Key Processes

FedRAMP authorizes cloud systems in a three step process:

  • Security Assessment: The security assessment process uses a standardized set of requirements in accordance with FISMA using a baseline set of NIST 800-53 controls to grant security authorizations.
  • Leveraging and Authorization: Federal agencies view security authorization packages in the FedRAMP repository and leverage the security authorization packages to grant a security authorization at their own agency.
  • Ongoing Assessment & Authorization: Once an authorization is granted, ongoing assessment and authorization activities must be completed to maintain the security authorization.

FedRAMP Governance

FedRAMP is a government-wide program with input from numerous departments, agencies, and government groups. The program’s primary decision-making body is the Joint Authorization Board (JAB), comprised of the CIOs from DOD, DHS, and GSA.  In addition to the JAB, OMB, the Federal CIO Council, NIST, DHS, and the FedRAMP Program Management Office (PMO) play keys roles in effectively running FedRAMP.


For more information on BioTrackTHC’s FedRAMP Authorized environment, or to inquire about adding your state to the AWS GovCloud, contact your respective state’s representative or contact us.