FedRAMP provides agencies with a standard approach for conducting security assessments of cloud services, replacing varied and duplicative procedures across government. The FedRAMP approach is based on an accepted set of baseline security controls and consistent processes that have been vetted and agreed upon by agencies across the federal government. Per the OMB memo published on December 8, 2011, all low and moderate impact cloud services leveraged by more than one office or agency must comply with FedRAMP requirements.
Share Your Experience with FedRAMP
Join the discussion with other agencies working to meet FedRAMP requirements on the FedRAMP Forum.
Begin Meeting FedRAMP Requirements
Establishing a comprehensive inventory of all cloud services within an agency is a critical step on the path to FedRAMP compliance. Once established, the agency needs to work with CSPs to update contractual requirements and determine the path each cloud system will take in order to be FedRAMP compliant. In following the "do once, use many times" approach, agencies will want to frequently check the list of FedRAMP compliant cloud systems, and provide the FedRAMP PMO advance notice if a CSP decides to pursue a FedRAMP Agency ATO with their agency. If the CSP decides to pursue the JAB provisional authorization approach then the agency must stay up-to-date with the provider's efforts to obtain the authorization. Careful coordination between CSPs, agencies, and the FedRAMP PMO will ensure that everyone uses the resources effectively to meet FedRAMP requirements.
Agency Overview of FedRAMP Security Assessment Process
If a security package is not available for leveraging and an agency decides to work with a CSP to grant an Agency ATO, they will become very familiar with the FedRAMP assessment process by which the CSP documents its security controls, an independent assessor tests those controls, and the team produces a final security assessment package. This topic area highlights key aspects of the FedRAMP security assessment process.
FedRAMP Continuous Monitoring
Continuous monitoring is part of the risk management process of FedRAMP, and is a requirement for all CSPs to maintain an ATO. FedRAMP has chosen to implement continuous monitoring because it enables greater transparency into the CSP system and allows for timely risk-management decisions. The responsibilities of executive departments and agencies will vary depending on whether the organization grants an Authority to Operate (ATO) based on a Joint Authorization Board (JAB) provisional authorization or not. The FedRAMP ongoing assessment and authorization process occurs after three steps, operational visibility, change control process, and incident response.
Report Status of Agency FedRAMP Implementation
Executive departments and agencies must quarterly report in PortfolioStat all cloud services used by the agency to the Office of Management and Budget. The reports must include all cloud systems regardless of their FedRAMP compliance status. For those systems that are not FedRAMP compliant, the agency must provide appropriate rationale and proposed resolution for achieving compliance.