As a primary actor in the FedRAMP process, agencies engage with CSPs, 3PAOs, and the FedRAMP PMO on a number of fronts in order to meet FedRAMP requirements. Agencies that successfully navigate FedRAMP:
  • Leverage the FedRAMP PMO process and the JAB-approved FedRAMP security authorization requirements as a baseline when initiating, reviewing, granting and revoking security authorizations for cloud services
  • Require cloud service providers to meet FedRAMP requirements via contractual provisions
  • Identify and annually report on cloud services being used that do not meet FedRAMP requirements 
  • Assess, authorize and continuously monitor security controls that are the responsibility of the agency

 

FedRAMP Overview

FedRAMP replaces varied and duplicative procedures across government by providing agencies with a standard approach for conducting security assessments of cloud services. The FedRAMP approach is based on an accepted set of baseline security controls and consistent processes that have been vetted and agreed upon by agencies across the federal government.  Per the OMB memo published on December 8, 2011, all low and moderate impact cloud services leveraged by more than one office or agency must comply with FedRAMP requirements.

Share Your Experience with FedRAMP

Join the discussion with other agencies working to meet FedRAMP requirements on the FedRAMP Forum.

 

 

Begin Meeting FedRAMP Requirements

Establishing a comprehensive inventory of all cloud services within an agency is a critical step on the path to FedRAMP compliance.  Once established, the agency needs to work with CSPs to update contractual requirements and determine the path each cloud system will take in order to become FedRAMP compliant.  In following the "do once, use many times" approach, agencies will want to frequently check the list of FedRAMP compliant cloud systems and those in process, and provide the FedRAMP PMO with advance notice if a CSP it is working with decides to pursue a FedRAMP Agency ATO with their agency.  If the CSP decides to pursue the JAB provisional authorization approach than the agency must stay up-to-date with the provider's efforts to obtain the authorization.  Additionally, agencies can leverage and issue an Agency ATO for a CSP-supplied package found in the FedRAMP secure repository. Careful coordination between CSPs, agencies, and the FedRAMP PMO will ensure that all parties use resources effectively to meet FedRAMP requirements. 

More on Initiate

 

Agency Overview of FedRAMP Security Assessment Process

If a security package is not available for leveraging and an agency decides to work with a CSP to grant an Agency ATO, they will become very familiar with the FedRAMP assessment process by which the CSP documents its security controls, an independent assessor tests those controls, and the team produces a final security assessment package.  This topic area highlights key aspects of the FedRAMP security assessment process. 

More on Implement

Authorize

Grant a CSP an Authority to Operate

Whether leveraging an existing FedRAMP security assessment package or following the FedRAMP assessment process within an agency, an agency’s Authorizing Official will need to ultimately make a risk-based decision to grant the cloud system in question an Authority to Operate (ATO) within the agency.  The decision will be formalized in an ATO letter provided to the CSP system owner.  Prior to authorizing a cloud system, the agency will implement customer and shared responsibility controls.  They will then conduct a thorough review of the security assessment package to determine that it is complete, consistent, and compliant with FedRAMP requirements.  Other factors to assess include:

  • Hardware or software inventory that is included
  • Content addresses: the who, what, when, and how
  • Supporting documentation delivered and adequately referenced
  • Presenting non-applicable controls as implemented

With the “do once, use many times” framework, FedRAMP allows for agencies to reuse authorization packages that have already been completed.  Agencies can find the list of packages available for review on the FedRAMP website and can access completed packages in the secure repository maintained by the FedRAMP PMO.

 

FedRAMP Continuous Monitoring

Continuous monitoring is part of the risk management process of FedRAMP, and is a requirement for all CSPs to maintain an ATO. FedRAMP has chosen to implement continuous monitoring because it enables greater transparency into the CSP system and allows for timely risk-management decisions.  The responsibilities of executive departments and agencies will vary depending on whether the organization grants an Authority to Operate (ATO) based on a Joint Authorization Board (JAB) provisional authorization or not.  The FedRAMP PMO will manage the continuous monitoring activities of systems with FedRAMP JAB Provisional Authorizations.  Agencies must take charge in managing the continuous monitoring responsibilities for cloud services with an Agency ATO.  For an Agency ATO, the agency must provide at minimum a yearly update on the CSP’s security authorization package including the continuous monitoring activities from the past year. The FedRAMP ongoing assessment and authorization process involves three steps: operational visibility, change control process, and incident response.

More on Monitor

 

Report Status of Agency FedRAMP Implementation

Executive departments and agencies must provide in PortfolioStat quarterly reports listing all cloud services used by the agency to the Office of Management and Budget.  The reports must include all cloud systems regardless if they are FedRAMP compliant or not.  For those systems that are not FedRAMP compliant, the agency must provide appropriate rationale and proposed resolution for achieving compliance.  The reporting occurs through the E-Gov Integrated Data Collection effort using MAX Collect.  

More on Report

Discuss

Join the discussion on the FedRAMP forum

By using this service you agree not to post material that is obscene, harassing, defamatory, or otherwise objectionable. Cloud.cio.gov moderates comments prior to their posting and comments deemed in violation of this rule will not be posted.