What is Federal Risk and Authorization Management Program (FedRAMP)?
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
The governing bodies of FedRAMP include:
- The Office of Management and Budget (OMB): The governing body that issued the FedRAMP policy memo which defines the key requirements and capabilities of the program.
- The Joint Authorization Board (JAB): The primary governance and decision-making body for FedRAMP comprises the chief information officers (CIOs) from the Department of Homeland Security (DHS), General Services Administration (GSA), and Department of Defense (DOD).
- The National Institute of Standards and Technology (NIST): Advises FedRAMP on FISMA compliance requirements and assists in developing the standards for the accreditation of independent 3PAOs.
- The Department of Homeland Security (DHS): Manages the FedRAMP continuous monitoring strategy including data feed criteria, reporting structure, threat notification coordination, and incident response.
- The Federal Chief Information Officers (CIO) Council: Disseminates FedRAMP information to Federal CIOs and other representatives through cross-agency communications and events.
- The FedRAMP PMO: Established within GSA and responsible for the development of the FedRAMP program including the management of day-to-day operations.
Cloud Service Providers (CSPs) who want to offer their Cloud Service Offerings (CSOs) to the US government must demonstrate FedRAMP compliance. FedRAMP uses the NIST Special Publication 800 series and requires cloud service providers to complete an independent security assessment conducted by a third-party assessment organization (3PAO) to ensure that authorizations are compliant with the Federal Information Security Management Act (FISMA). For more information, see the FedRAMP website.
What are the Requirements of FedRAMP?
The Cloud First Policy requires all federal agencies to use the FedRAMP process to conduct security assessments, authorizations, and continuous monitoring of cloud services. The FedRAMP Program Management Office (PMO) has outlined the following requirements for FedRAMP compliance:
- The cloud service provider (CSP) has been granted an Agency Authority to Operate (ATO) by a US federal agency, or a Provisional Authority to Operate (P-ATO) by the Joint Authorization Board (JAB).
- The CSP meets the FedRAMP security control requirements as described in the National Institutes of Standards & Technology (NIST) 800-53, Rev. 4 security control baseline for moderate or high impact levels.
- All system security packages must use the required FedRAMP templates.
- The CSP must be assessed by an approved third-party assessment organization (3PAO).
- The completed security assessment package must be posted in the FedRAMP secure repository.
What are the types of FedRAMP Compliances?
There are two routes to FedRAMP certification.
Joint Authorization Board (JAB) Authorization
JAB authorization is a provisional authority to operate. The risk of the CSP is reviewed by an approved third-party assessment organization. JAB is made up of representatives from the departments of Defense, Homeland Security, and General Services Administration (GSA). To actually complete a service contract, a CSP will have to proceed to agency authorization later.
This process involves a specific agency from the outset. The customer agency approves the CSP and helps arrange approval from the FedRAMP Program Management Office. The result of this process is the issuance of an Authority to Operate letter, which gives the CSP the certification to operate for that particular agency.