FEDRAMP

What is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. 

What is its purpose?

The FedRAMP approach uses a “do once, use many times” framework that saves an estimated 30-40% of government costs, as well as both time and staff required to conduct redundant agency security assessments. FedRAMP is the result of close collaboration with cybersecurity and cloud experts from the General Services Administration (GSA), National Institute of Standards and Technology (NIST), Department of Homeland Security (DHS), Department of Defense (DOD), National Security Agency (NSA), Office of Management and Budget (OMB), the Federal Chief Information Officer (CIO) Council and its working groups, as well as private industry. The Goals and Benefits of FedRAMP are listed below:

Goals

  • Accelerate the adoption of secure cloud solutions through reuse of assessments and authorizations
  • Increase confidence in security of cloud solutions
  • Achieve consistent security authorizations using a baseline set of agreed upon standards to be used for cloud product approval in or outside of FedRAMP
  • Ensure consistent application of existing security practice
  • Increase confidence in security assessments
  • Increase automation and near real-time data for continuous monitoring

Benefits

  • Increase re-use of existing security assessments across agencies
  • Save significant cost, time, and resources – “do once, use many times”
  • Improve real-time security visibility
  • Provide a uniform approach to risk-based management
  • Enhance transparency between government and Cloud Service Providers (CSPs)
  • Improve the trustworthiness, reliability, consistency, and quality of the Federal security authorization process

How is it implemented?

FedRAMP authorizes cloud systems in a three step process:

1.      Security Assessment: The security assessment process uses a standardized set of requirements in accordance with FISMA using a baseline set of NIST 800-53 controls to grant security authorizations.

2.      Leveraging and Authorization:  Federal agencies view security authorization packages in the FedRAMP repository and leverage the security authorization packages to grant a security authorization at their own agency.

3.      Ongoing Assessment & Authorization:  Once an authorization is granted, ongoing assessment and authorization activities must be completed to maintain the security authorization.

How does FISMA affect us and our customers?

Agencies engage with Cloud Service Providers (CSPs), Independent Assessors, and the FedRAMP PMO to meet FedRAMP requirements. Agencies that successfully navigate FedRAMP:

  • Leverage the FedRAMP PMO process and the JAB-approved FedRAMP security authorization requirements as a baseline when initiating, reviewing, granting and revoking security authorizations for cloud services
  • Require cloud service providers to meet FedRAMP requirements via contractual provisions
  • Identify and annually report on cloud services being used that do not meet FedRAMP requirements
  • Assess, authorize and continuously monitor security controls of cloud systems

Additional information on the role of agencies can be found on the Security Assessment Framework and the Guide to Understanding FedRAMP.

You can find a current list of FedRAMP compliant cloud systems at https://marketplace.fedramp.gov/#/products?sort=productName.

For more information, please see below references:

https://www.fedramp.gov/

  • Accelerate the adoption of secure cloud solutions through reuse of assessments and authorizations