Learn About FedRAMP
The Federal Risk and Authorization Program (FedRAMP) represents a unique opportunity for Cloud Service Providers (CSPs) doing business with the federal government. FedRAMP provides agencies and CSPs alike with a standard approach for conducting security assessments, replacing varied and duplicative procedures across government. The FedRAMP approach is based on an accepted set of baseline security controls and consistent processes that have been vetted and agreed upon by agencies across the federal government. Per the OMB memo published on December 8, 2011, all low and moderate impact cloud services leveraged by more than one office or agency must comply with FedRAMP requirements by 2014. If you are a CSP doing business with government, begin the dialogue with your agency partners regarding FedRAMP and reach out to the FedRAMP Program Management Office (PMO) with questions.
Share Your Experience with FedRAMP
Share your FedRAMP insights with fellow CSPs on the FedRAMP Forum.
Submit FedRAMP Application
Prior to initiating the FedRAMP application process, the CSP familiarizes themself with the program by reviewing the Security Assessment Framework and Guide to Understanding FedRAMP documents. Once familiar with the program’s requirements, the CSP indicates its interest in achieving a FedRAMP authorization by completing a simple application form. FedRAMP offers three paths to achieving authorization: JAB Provisional Authorization (P-ATO), Agency ATO, and CSP supplied. Additional information about the three paths to authorization can be found in the Security Assessment Framework.
Document Security Controls
To document security controls, the CSP must complete a FIPS 199 worksheet to categorize the type of data that is contained within the system. The CSP must then select the FedRAMP security controls baseline to match the categorization level found on the completed FIPS 199. With the security control baseline selected, the CSP must implement the security controls related to the impact level. After implementing the baseline security controls laid out by FedRAMP to the maximum extent possible, it's time for the CSP to document how they addressed the security controls. Complete and accurate documentation of how the cloud system meets and implements FedRAMP security controls is critical to meeting FedRAMP requirements. Detailed information on documenting security controls can be found in the Security Assessment Framework.
Upon documenting their security control implementation, the CSP engages an independent assessor to evaluate the implementation of the FedRAMP security controls. CSPs that seek a JAB P-ATO or want to submit a CSP-supplied package must use a FedRAMP accredited 3PAO to assess their information system. CSPs that want to submit an Agency ATO package may have their cloud system assessed by an agency validated independent assessor or a FedRAMP accredited 3PAO. If a non FedRAMP-accredited 3PAO is used, than an attestation describing the Independent Assessors technical qualifications shall be provided.
FedRAMP Continuous Monitoring
Continuous monitoring is part of the risk management process of FedRAMP, and is a requirement for all CSPs to maintain an ATO. FedRAMP has chosen to implement continuous monitoring because it enables greater transparency into the CSP system and allows for timely risk-management decisions. The responsibilities of executive departments and agencies will vary depending on whether the organization grants an Authority to Operate (ATO) based on a Joint Authorization Board (JAB) provisional authorization or not. The FedRAMP PMO will manage the continuous monitoring activities of systems with FedRAMP JAB Provisional Authorizations. Agencies must take charge in managing the continuous monitoring responsibilities for cloud services with an Agency ATO. For an Agency ATO, the agency must provide at minimum a yearly update on the CSP’s security authorization package including the continuous monitoring activities from the past year. The FedRAMP ongoing assessment and authorization process involves three steps: operational visibility, change control process, and incident response.