FedRAMP replaces varied and duplicative procedures across government by providing agencies with a standard approach for conducting security assessments of cloud services. The FedRAMP approach is based on an accepted set of baseline security controls and consistent processes that have been vetted and agreed upon by agencies across the federal government. Per the OMB memo published on December 8, 2011, all low and moderate impact cloud services leveraged by more than one office or agency must comply with FedRAMP requirements.
Share Your Experience with FedRAMP
Join the discussion with other agencies working to meet FedRAMP requirements on the FedRAMP Forum.
Begin Meeting FedRAMP Requirements
Establishing a comprehensive inventory of all cloud services within an agency is a critical step on the path to FedRAMP compliance. Once established, the agency needs to work with CSPs to update contractual requirements and determine the path each cloud system will take in order to become FedRAMP compliant. In following the "do once, use many times" approach, agencies will want to frequently check the list of FedRAMP compliant cloud systems and those in process, and provide the FedRAMP PMO with advance notice if a CSP it is working with decides to pursue a FedRAMP Agency ATO with their agency. If the CSP decides to pursue the JAB provisional authorization approach than the agency must stay up-to-date with the provider's efforts to obtain the authorization. Additionally, agencies can leverage and issue an Agency ATO for a CSP-supplied package found in the FedRAMP secure repository. Careful coordination between CSPs, agencies, and the FedRAMP PMO will ensure that all parties use resources effectively to meet FedRAMP requirements.
Agency Overview of FedRAMP Security Assessment Process
If a security package is not available for leveraging and an agency decides to work with a CSP to grant an Agency ATO, they will become very familiar with the FedRAMP assessment process by which the CSP documents its security controls, an independent assessor tests those controls, and the team produces a final security assessment package. This topic area highlights key aspects of the FedRAMP security assessment process.
FedRAMP Continuous Monitoring
Continuous monitoring is part of the risk management process of FedRAMP, and is a requirement for all CSPs to maintain an ATO. FedRAMP has chosen to implement continuous monitoring because it enables greater transparency into the CSP system and allows for timely risk-management decisions. The responsibilities of executive departments and agencies will vary depending on whether the organization grants an Authority to Operate (ATO) based on a Joint Authorization Board (JAB) provisional authorization or not. The FedRAMP PMO will manage the continuous monitoring activities of systems with FedRAMP JAB Provisional Authorizations. Agencies must take charge in managing the continuous monitoring responsibilities for cloud services with an Agency ATO. For an Agency ATO, the agency must provide at minimum a yearly update on the CSP’s security authorization package including the continuous monitoring activities from the past year. The FedRAMP ongoing assessment and authorization process involves three steps: operational visibility, change control process, and incident response.
Report Status of Agency FedRAMP Implementation
Executive departments and agencies must provide in PortfolioStat quarterly reports listing all cloud services used by the agency to the Office of Management and Budget. The reports must include all cloud systems regardless if they are FedRAMP compliant or not. For those systems that are not FedRAMP compliant, the agency must provide appropriate rationale and proposed resolution for achieving compliance. The reporting occurs through the E-Gov Integrated Data Collection effort using MAX Collect.