Introduction

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring of cloud products and services utilized by the federal government.

FedRAMP consists of two primary entities: the Joint Authorization Board (JAB) and the Program Management Office (PMO). Members of the JAB include the chief information officers (CIOs) from the Department of Defense, Department of Homeland Security, and General Services Administration. The JAB serves as the primary governance and decision-making body for FedRAMP.

The FedRAMP PMO resides within GSA and supports agencies and cloud service providers through the FedRAMP authorization process and maintains a secure repository of FedRAMP authorizations to enable reuse of security packages.

Requirements

Cloud services providers (CSP) seeking FedRAMP Authorization are expected to meet certain requirements, including the Document, Assess, Authorize, and Monitor requirements of the NIST Risk Management Framework (RMF) (see NIST SP 800-37).

FedRAMP assessments are performed by certified third party assessor organizations and involve assessing the CSP’s implementation and performance of the security controls set forth in a System Security Plan, among other required documents.

CSPs can pursue different paths based on the agencies and FIPS 199 categories they intend to satisfy, including FedRAMP Low (125 controls), Moderate (325 controls), and High (421 controls). A separate classification also exists for low impact software as a service providers (LI-SaaS).