The Federal Risk and Authorization Management Program (FedRAMP) is a United States federal government-wide compliance program that standardizes security assessment, authorization, and continuous monitoring for cloud services. Established by the Office of Management and Budget in 2011, FedRAMP aims to provide a cost-effective, risk-based approach for federal cloud service adoption. The General Services Administration manages its program office, ensuring cloud providers meet required security standards. Authorization can be granted via the Joint Authorization Board or through individual agencies. FedRAMP accredits cloud models including IaaS, PaaS, and SaaS, replacing earlier agency-specific assessments under the Federal Information Security Management Act.
Governance and applicable laws
FedRAMP is governed by different Executive Branch entities that collaborate to develop, manage, and operate the program.8 These entities include:
- The Office of Management and Budget (OMB): The governing body that issued the FedRAMP policy memo, which defines the key requirements and capabilities of the program
- The Joint Authorization Board (JAB): The primary governance and decision-making body for FedRAMP comprises the chief information officers (CIOs) from the Department of Homeland Security (DHS), General Services Administration (GSA), and Department of Defense (DOD)
- The National Institute of Standards and Technology (NIST): Advises FedRAMP on FISMA compliance requirements and assists in developing the standards for the accreditation of independent 3PAOs
- The Department of Homeland Security (DHS): Manages the FedRAMP continuous monitoring strategy including data feed criteria, reporting structure, threat notification coordination, and incident response
- The Federal Chief Information Officers (CIO) Council: Disseminates FedRAMP information to Federal CIOs and other representatives through cross-agency communications and events
- The FedRAMP PMO: Established within GSA and responsible for the development of the FedRAMP program, including the management of day-to-day operations
There are several laws, mandates, and policies that are foundational to FedRAMP. FISMA–the Federal Information Security Modernization Act–requires that agencies authorize the information systems that they use. FedRAMP is FISMA for the cloud. The FedRAMP Policy Memo requires federal agencies to use FedRAMP when assessing, authorizing, and continuously monitoring cloud services in order to aid agencies in the authorization process as well as save government resources and eliminate duplicative efforts.9 FedRAMP's security baselines are derived from NIST SP 800-53 (as revised) with a set of control enhancements that pertain to the unique security requirements of cloud computing.
Third-party assessment organizations
Third-party assessment organizations (3PAOs) play a critical role in the FedRAMP security assessment process, as they are the independent assessment organizations that verify cloud providers’ security implementations and provide the overall risk posture of a cloud environment for a security authorization decision.10 Accredited by the American Association for Laboratory Accreditation (A2LA), these assessment organizations must demonstrate independence and the technical competence required to test security implementations and collect representative evidence.
FedRAMP Marketplace
The FedRAMP Marketplace provides a searchable, sortable database of Cloud Service Offerings (CSOs) that have achieved a FedRAMP designation.11 3PAOs, accredited auditors that can perform the FedRAMP assessment, are listed within the Marketplace. The FedRAMP Marketplace is maintained by the FedRAMP Program Management Office (PMO).12
See also
External links
References
"FedRAMP.gov". FedRAMP.gov. 2020-03-26. Retrieved 2020-04-05. https://fedramp.gov/ ↩
"Policy memo" (PDF). www.fedramp.gov. Retrieved 2020-04-05. https://www.fedramp.gov/assets/resources/documents/FedRAMP_Policy_Memo.pdf ↩
"FedRAMP.gov". FedRAMP.gov. 2020-03-26. Retrieved 2020-04-05. https://fedramp.gov/ ↩
"Policy memo" (PDF). www.fedramp.gov. Retrieved 2020-04-05. https://www.fedramp.gov/assets/resources/documents/FedRAMP_Policy_Memo.pdf ↩
"Get Authorized: Joint Authorization Board". FedRAMP.gov. Retrieved 2020-04-05. https://fedramp.gov/jab-authorization/ ↩
"Get Authorized: Agency Authorization". FedRAMP.gov. Retrieved 2020-04-05. https://fedramp.gov/agency-authorization/ ↩
"DOD turns to FedRAMP and cloud brokering -- FCW". FCW. 2014-05-21. Archived from the original on 2020-10-31. Retrieved 2020-04-05. https://web.archive.org/web/20201031105521/https://fcw.com/articles/2014/05/21/drill-down-dod-fedramp-and-cloud-brokering.aspx ↩
"Governance". FedRAMP.gov. Retrieved 2020-04-05. https://fedramp.gov/governance/ ↩
"Policy memo" (PDF). www.fedramp.gov. Retrieved 2020-04-05. https://www.fedramp.gov/assets/resources/documents/FedRAMP_Policy_Memo.pdf ↩
"Policy memo" (PDF). www.fedramp.gov. Retrieved 2020-04-05. https://www.fedramp.gov/assets/resources/documents/FedRAMP_Policy_Memo.pdf ↩
"The Federal Risk And Management Program Dashboard". marketplace.fedramp.gov. Retrieved 2021-07-28. https://marketplace.fedramp.gov/ ↩
"Marketplace designations" (PDF). www.fedramp.gov. Retrieved 2020-04-05. https://www.fedramp.gov/assets/resources/documents/FedRAMP_Marketplace_Designations_for_Cloud_Service_Providers.pdf ↩