As a primary actor in the FedRAMP process, agencies engage with CSPs, 3PAOs, and the FedRAMP PMO on a number of fronts in order to meet FedRAMP requirements. Agencies that successfully navigate FedRAMP:
  • Leverage the FedRAMP PMO process and the JAB-approved FedRAMP security authorization requirements as a baseline when initiating, reviewing, granting and revoking security authorizations for cloud services
  • Require cloud service providers to meet FedRAMP requirements via contractual provisions
  • Identify and annually report on cloud services being used that do not meet FedRAMP requirements 
  • Assess, authorize and continuously monitor security controls that are the responsibility of the agency

 

FedRAMP Overview

FedRAMP provides agencies with a standard approach for conducting security assessments of cloud services, replacing varied and duplicative procedures across government. The FedRAMP approach is based on an accepted set of baseline security controls and consistent processes that have been vetted and agreed upon by agencies across the federal government.  Per the OMB memo published on December 8, 2011, all low and moderate impact cloud services leveraged by more than one office or agency must comply with FedRAMP requirements.

Share Your Experience with FedRAMP

Join the discussion with other agencies working to meet FedRAMP requirements on the FedRAMP Forum.

 

 

Begin Meeting FedRAMP Requirements

Establishing a comprehensive inventory of all cloud services within an agency is a critical step on the path to FedRAMP compliance.  Once established, the agency needs to work with CSPs to update contractual requirements and determine the path each cloud system will take in order to be FedRAMP compliant.  In following the "do once, use many times" approach, agencies will want to frequently check the list of FedRAMP compliant cloud systems, and provide the FedRAMP PMO advance notice if a CSP decides to pursue a FedRAMP Agency ATO with their agency.  If the CSP decides to pursue the JAB provisional authorization approach then the agency must stay up-to-date with the provider's efforts to obtain the authorization.  Careful coordination between CSPs, agencies, and the FedRAMP PMO will ensure that everyone uses the resources effectively to meet FedRAMP requirements.

More on Initiate

 

Agency Overview of FedRAMP Security Assessment Process

If a security package is not available for leveraging and an agency decides to work with a CSP to grant an Agency ATO, they will become very familiar with the FedRAMP assessment process by which the CSP documents its security controls, an independent assessor tests those controls, and the team produces a final security assessment package.  This topic area highlights key aspects of the FedRAMP security assessment process. 

More on Implement

Authorize

Grant a CSP an Authority to Operate

Whether leveraging an existing FedRAMP security assessment package or following the FedRAMP assessment process within an agency, an agency’s Authorizing Official will need to ultimately make a decision to grant the cloud system in question an Authority to Operate (ATO) within the agency.  Prior to authorizing a cloud system, the agency will implement customer and shared responsibility controls.  They will then conduct a thorough review of the security assessment package to determine that it is complete, consistent, and compliant with FedRAMP requirements.  Other factors to assess include:

  • Hardware or software inventory that is included
  • Content addresses: the who, what, when, and how
  • Supporting documentation delivered and adequately referenced
  • Presenting non-applicable controls as implemented
 

FedRAMP Continuous Monitoring

Continuous monitoring is part of the risk management process of FedRAMP, and is a requirement for all CSPs to maintain an ATO. FedRAMP has chosen to implement continuous monitoring because it enables greater transparency into the CSP system and allows for timely risk-management decisions.  The responsibilities of executive departments and agencies will vary depending on whether the organization grants an Authority to Operate (ATO) based on a Joint Authorization Board (JAB) provisional authorization or not.   The FedRAMP ongoing assessment and authorization process occurs after three steps, operational visibility, change control process, and incident response.

More on Monitor

 

Report Status of Agency FedRAMP Implementation

Executive departments and agencies must quarterly report in PortfolioStat all cloud services used by the agency to the Office of Management and Budget.  The reports must include all cloud systems regardless of their FedRAMP compliance status.   For those systems that are not FedRAMP compliant, the agency must provide appropriate rationale and proposed resolution for achieving compliance.

More on Report

Discuss

Join the discussion on the FedRAMP forum

By using this service you agree not to post material that is obscene, harassing, defamatory, or otherwise objectionable. Cloud.cio.gov moderates comments prior to their posting and comments deemed in violation of this rule will not be posted.