Box is FedRAMP High Authorized
Box meets key requirements for handling highly sensitive U.S. government data
Box and FedRAMP
In 2016, Box obtained a FedRAMP Marketplace Designation: Authorized at the Moderate impact level. Now in 2025, we’ve obtained a FedRAMP Marketplace Designation: Authorized at the High impact level. This builds on momentum from 2024, when the U.S. Department of Veterans Affairs (VA) sponsored and granted Box a High Authorization to Operate (ATO) at the agency level. This included an independent assessment of over 421 security controls, allowing the VA to expand their use of our Intelligent Content Management platform for highly sensitive data, such as Personal Identifiable Information, sensitive patient records, financial data, law enforcement data, and other Controlled Unclassified Information (CUI). Box now meets some of the highest standards for security and compliance during a crucial time when cybersecurity can make or break an organization — especially since the average cost of a data breach in the U.S. is $4.88M. Intelligent Content Management can help organizations fulfill the Future of Work Initiative, supported by the United States Office of Personnel Management (OPM), which requires government agencies to be efficient and agile to outpace adversaries when it comes to cybersecurity.
Get to know FedRAMP
FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. All U.S. federal agencies are required by Federal Information Security Management Act (FISMA) to procure information systems and services only from organizations that adhere to FISMA requirements. For cloud services, federal agencies adhere by authorizing services that demonstrate their compliance with one of the FedRAMP security baselines.
To achieve a FedRAMP authorization, cloud service providers (CSPs) must undergo an independent security assessment conducted by a third-party assessment organization (3PAO) to ensure authorizations are compliant with FISMA and must maintain continuous monitoring requirements of FedRAMP.
The importance of FedRAMP
FedRAMP enables the federal government to quickly adopt cloud computing by creating transparent standards and processes for security authorizations, while also allowing agencies to leverage security authorizations on a government-wide scale. FedRAMP is mandatory for all executive agency cloud deployments and service models at the Low, Moderate, and High risk impact levels.
Levels are based on the potential impacts of a security breach in three different areas:
- Confidentiality: Protections for privacy and proprietary information
- Integrity: Protections against modification or destruction of information
- Availability: Timely and reliable access to data
The three impact levels of FedRAMP authorizations
The Federal Risk and Authorization Management Program (FedRAMP) was established in 2011 to provide a cost-effective, risk-based approach for the adoption and use of cloud services by the federal government.
FedRAMP Low
Limited adverse effects
Low Impact is most appropriate where the loss of confidentiality, integrity, and availability would result in limited adverse effect on an agency’s operations, assets, or individuals. FedRAMP currently has two baselines for systems with Low Impact data: LI-SaaS Baseline and Low Baseline.
FedRAMP Moderate
Serious adverse effects
Moderate Impact is most appropriate where the loss of confidentiality, integrity, and availability would result in serious adverse effect on an agency’s operations, assets, or individuals. Serious adverse effects could include operational damage to agency assets, financial loss, or non-life threatening individual harm.
FedRAMP High
Catastrophic adverse effects
High Impact data is usually in law enforcement and emergency services systems, financial systems, health systems, and any other system where loss of confidentiality, integrity, or availability could have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
FAQs
Does FedRAMP apply to my organization?
How does my organization become FedRAMP compliant?
What agencies already use Box for FedRAMP?
What is the difference between FedRAMP and StateRAMP?
Does Box comply with the Federal Information Security Management Act (FISMA)?
What other government related certifications are there that Box has?
Learn more about Box’s approach to security and compliance
Discover how we approach Security and Compliance
We're dedicated to earning and keeping our customers' trust — every day.
Modernize your federal agency's mission-critical processes
Find out how to protect your most important data and accelerate productivity with Box.
Box achieves FedRAMP High authorization to deliver new innovation
Learn how U.S. government agencies and authorized government contractors leverage our Intelligent Content Management platform for highly sensitive data.