The Federal Risk and Authorization Management Program (FedRAMP) is designed to promote the adoption of secure cloud services across the federal government. It provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud technologies.
Definition and purpose
The ultimate purpose of FedRAMP is the protection of federal information in the cloud. FedRAMP enables the federal government to accelerate the adoption of cloud computing by creating transparent standards and processes for security authorizations and allowing agencies to leverage security authorizations on a government-wide scale.
The primary governance and decision-making body for FedRAMP is the Joint Authorization Board (JAB), which consists of the Chief Information Officers from the Department of Defense (DoD), the Department of Homeland Security (DHS), and the General Services Administration (GSA).
FedRAMP is updated in alignment with NIST 800-53. Most recently, FedRAMP baselines were updated in December 2021 to align with NIST’s Rev. 5.
FedRAMP is mandatory for any organization that provides cloud computing products and services to government agencies.
Controls and requirements
FedRAMP is a derivative of NIST 800-53. It uses the same NIST 800-53 baselines (Low, Moderate, High) with the same associated controls, but adds upon them by specifying certain parameters and requirements.
Cloud service providers (CSPs) that are pursuing FedRAMP compliance must implement controls assigned to their respective security control baseline. As mentioned above, the low baseline has the least amount of controls (125) and can be considered the least stringent. High has the most controls (421) and can be considered the most stringent. Moderate falls in the middle with 325 controls.
Please refer to the official FedRAMP documentation for a detailed list of controls and requirements.
Audit type, frequency, and duration
There are two ways that a cloud service provider (CSP) can get its cloud service offering authorized through FedRAMP: by getting sponsored through individual federal agencies or by obtaining JAB provisional authorization (P-ATO). Both paths involve a readiness assessment (RAR). Once the FedRAMP PMO approves the RAR, the CSP is designated as Ready in the FedRAMP Marketplace and can continue with the authorization process.
Whether a CSP pursues agency authorization or JAB provisional authorization, they must be assessed by 3PAOs. 3PAOs are independent assessment organizations that verify CSP’s security implementations and provide the overall risk posture of a cloud environment for a security authorization decision.
These assessments are then reviewed by the agency or JAB. If any issues are identified, the CSP and 3PAO must remediate them. Once completed, either the agency will issue an ATO or the JAB will issue a formal authorization decision and if favorable, issue a Provisional Authority to Operate (P-ATO).