The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
FISMA – the Federal Information Security Modernization Act – requires that agencies authorize the information systems that they use. FedRAMP is FISMA for the cloud. The FedRAMP Policy Memo requires Federal Agencies to use FedRAMP when assessing, authorizing, and continuously monitoring cloud services in order to aid Agencies in the authorization process as well as to save Government resources and eliminate duplicative efforts. The Department of Homeland Security manages the FedRAMP continuous monitoring strategy including data feed criteria, reporting structure, threat notification coordination, and incident response.
FedRAMP’s security baselines are derived from NIST SP 800-53 (as revised) with a set of control enhancements that pertain to the unique security requirements of cloud computing.
The General Services Administration (GSA) established the FedRAMP Program Management Office (PMO) in June 2012. The FedRAMP PMO mission is to promote the adoption of secure cloud services across the Federal Government by providing a standardized approach to security and risk assessment, any cloud services that hold federal data must be FedRAMP Authorized. The FedRAMP PMO: Established within GSA and responsible for the development of the FedRAMP program including the management of day to day operations. FedRAMP prescribes the security requirements and process cloud service providers must follow in order for the government to use their service.
There are two ways to authorize a cloud service through FedRAMP:
- A Joint Authorization Board (JAB) Provisional Authority to Operate (P-ATO)
- Agency Authority to Operate (ATO)
FedRAMP has released FedRAMP Tailored for low-impact SaaS (LI-SaaS, example Slack). FedRAMP Tailored was developed to support industry solutions that are low risk and low cost for agencies to deploy and use.
The Joint Authorization Board (JAB): The primary governance and decision-making body for FedRAMP are the Chief Information Officers (CIOs) from the Department of Homeland Security (DHS), General Services Administration (GSA), and Department of Defence (DOD).
Sponsoring agency reviews the CSP (Cloud Service Provider) package for completeness and acceptable level of risk. Additionally, agency specific controls and delta assessment are required in order to be authorized to operate.
FedRAMP is an important regulation because the government uses it to keep their cloud services secure. For any CSP that wants to work for the government they need to abide by FedRAMP, making this a good standard for any company using cloud services. Thanks for reading and stay tuned for more information and insight in our future blogs.