FedRAMP Security Controls
Cloud Service Providers (CSPs) play an integral role in the FedRAMP process.
  • Directly apply or work with a sponsoring agency to submit an offering for FedRAMP authorization
  • Implement the baseline security controls and meet the accompanying FedRAMP requirements
  • Hire an accredited Third Party Assessment Organization to perform an independent system assessment when working toward a Joint Authorization Board Provisional Authorization or submitting a package without an Agency ATO
  • Create and submit an authorization package
  • Provide continuous monitoring reports and updates to FedRAMP

Cloud services offer agencies capabilities and opportunities for cost savings, business improvements, and increased efficiency. 

 

Learn About FedRAMP

The Federal Risk and Authorization Program (FedRAMP) represents a unique opportunity for Cloud Service Providers (CSPs) doing business with the federal government. FedRAMP provides agencies and CSPs alike with a standard approach for conducting security assessments, replacing varied and duplicative procedures across government.  The FedRAMP approach is based on an accepted set of baseline security controls and consistent processes that have been vetted and agreed upon by agencies across the federal government.  Per the OMB memo published on December 8, 2011, all low and moderate impact cloud services leveraged by more than one office or agency must comply with FedRAMP requirements by 2014.  If you are a CSP doing business with government, begin the dialogue with your agency partners regarding FedRAMP and reach out to the FedRAMP Program Management Office (PMO) with questions.

Share Your Experience with FedRAMP

Share your FedRAMP insights with fellow CSPs on the FedRAMP Forum.

 

Submit FedRAMP Application

Prior to initiating the FedRAMP application process, the CSP familiarizes themself with the program by reviewing the Security Assessment Framework and Guide to Understanding FedRAMP documents.  Once familiar with the program’s requirements, the CSP indicates its interest in achieving a FedRAMP authorization by completing a simple application form.  FedRAMP offers three paths to achieving authorization: JAB Provisional Authorization (P-ATO), Agency ATO, and CSP supplied. Additional information about the three paths to authorization can be found in the Security Assessment Framework.

Document

Document Security Controls

To document security controls, the CSP must complete a FIPS 199 worksheet to categorize the type of data that is contained within the system.  The CSP must then select the FedRAMP security controls baseline to match the categorization level found on the completed FIPS 199.  With the security control baseline selected, the CSP must implement the security controls related to the impact level.  After implementing the baseline security controls laid out by FedRAMP to the maximum extent possible, it's time for the CSP to document how they addressed the security controls. Complete and accurate documentation of how the cloud system meets and implements FedRAMP security controls is critical to meeting FedRAMP requirements.  Detailed information on documenting security controls can be found in the Security Assessment Framework.

 

Independently Verify Security

Upon documenting their security control implementation, the CSP engages an indepednent assessor to evaluate the implementation of the FedRAMP security controls.  CSPs that seek a JAB P-ATO or want to submit a CSP-supplied package must use a FedRAMP accredited 3PAO to assess their information system.  CSPs that want to submit an Agency ATO package may have their cloud system assessed by an agency validated independent assessor or a FedRAMP accredited 3PAO.  If a non FedRAMP-accredited 3PAO is used, than an attestation describing the Independent Assessors technical qualifications shall be provided.

More on Assess

Authorize

After the testing has been completed the Independent Assessor (IA) delivers the Security Assessment Report (SAR) to the CSP for review. Once the IA and CSP complete the review, the SAR is then shared with the authorizing official’s security team to determine the overall risk of the system.  The IA and CSP create a Plan of Action and Milestones (POA&M) to address specific vulnerabilities in the system. The CSP than submits a final security assessment package for review and review.  The formalized decision to authorize a cloud sytem is made in the form of an ATO letter provided to the CSP by the agency. 

 

FedRAMP Continuous Monitoring

Continuous monitoring is part of the risk management process of FedRAMP, and is a requirement for all CSPs to maintain an ATO. FedRAMP has chosen to implement continuous monitoring because it enables greater transparency into the CSP system and allows for timely risk-management decisions.  The responsibilities of executive departments and agencies will vary depending on whether the organization grants an Authority to Operate (ATO) based on a Joint Authorization Board (JAB) provisional authorization or not.   The FedRAMP ongoing assessment and authorization process occurs after three steps, operational visibility, change control process, and incident response.

More on Monitor

Discuss

Join the discussion on the FedRAMP forum

By using this service you agree not to post material that is obscene, harassing, defamatory, or otherwise objectionable. Cloud.cio.gov moderates comments prior to their posting and comments deemed in violation of this rule will not be posted.