FedRAMP

What is FedRAMP?

FedRAMP enables federal agencies and cloud solution providers (CSPs) to adapt rapidly from old, insecure, legacy IT to mission-enabling, secure, cost-effective, cloud-based IT.

FedRAMP defines and manages a core set of processes to ensure effective, repeatable cloud security for the government. It also established a mature marketplace to increase the use of and familiarity with cloud services while facilitating collaboration across government through the open exchange of lessons learned, use cases, and tactical solutions.

What are the goals of FedRAMP?

FedRAMP aims to:

• Accelerate the adoption of secure cloud solutions through reuse of assessments and authorizations
• Improve confidence in the security of cloud solutions and security assessments
• Achieve consistent security authorizations using a baseline set of agreed-upon standards for cloud product approval in or outside of FedRAMP
• Ensure consistent application of existing security practices
• Increase automation and use of near-real-time data for continuous monitoring

What are the FedRAMP governance bodies?

The governance of FedRAMP is performed by various executive branch entities that work collaboratively to develop, manage, and operate the program. FedRAMP governing bodies include the following:

• Joint Authorization Board (JAB) is the primary governance and decision-making body for FedRAMP. It includes the chief information officers (CIOs) from the Department of Homeland Security (DHS), General Services Administration (GSA), and Department of Defense (DOD).
• Office of Management and Budget (OMB) is the governing body that issued the FedRAMP policy memo, which defines the key requirements and capabilities of the program.
• CIO Council disseminates FedRAMP information to federal CIOs and other representatives through cross-agency communications and events.
• FedRAMP Program Management Office (PMO) is within GSA and is responsible for the development of the FedRAMP program including the management of day-to-day operations.
• Department of Homeland Security (DHS) manages the FedRAMP continuous monitoring strategy including data feed criteria, reporting structure, threat notification coordination, and incident response.
• National Institute for Standards and Technology (NIST) advises FedRAMP on Federal Information Security Modernization Act (FISMA) compliance requirements and assists in developing the standards for the accreditation of independent third-party assessment organizations (3PAOs).

What requires FedRAMP compliance?

Per an OMB memorandum, any cloud services offering (CSO) that holds federal data must be FedRAMP authorized.

FedRAMP compliance is mandatory for federal agency cloud deployments and service models at the low-, moderate-, and high-risk impact levels. Private cloud deployments intended for single organizations and implemented fully within federal facilities are the only exception.

What types of authorizations are available for FedRAMP?

FedRAMP cloud service authorizations include:

• Provisional authority to operate (P-ATO) by the JAB
• Agency authority to operate (ATO)
• Tailored authorization

Who is involved in FedRAMP authorization?

• Federal agencies can save money and time by adopting innovative cloud services to meet their critical mission needs.
• CSPs offer cloud services that allow federal agencies to meet their mission needs securely and quickly.
• 3PAOs perform initial and periodic assessments of cloud systems to ensure they meet FedRAMP requirements.

How do federal agencies, CSPs, and 3PAOs satisfy FedRAMP requirements?

The FedRAMP Security Controls Baseline document provides an overview of the security controls, enhancements, parameters, requirements, and guidance listed in the FedRAMP System Security Plan templates.

Federal agencies and CSPs must implement these security controls, enhancements, parameters, and requirements within a cloud computing environment to satisfy FedRAMP requirements. The security controls and enhancements have been selected from the NIST SP 800-53 Revision 4 catalog of controls. The selected controls and enhancements are for cloud systems designated at the low-, moderate-, and high-impact information systems as defined in Federal Information Processing Standards (FIPS) Publication 199.