The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework that saves cost, time, and staff required to conduct redundant agency security assessments.
What are the goals of FedRAMP?
The goals of FedRAMP are to:
- Accelerate the adoption of secure cloud solutions through reuse of assessments and authorizations
- Increase confidence in security of cloud solutions
- Achieve consistent security authorizations using a baseline set of agreed upon standards and accredited independent third party assessment organizations
- Ensure consistent application of existing security practices Increase confidence in security assessments
- Increase confidence in security assessments
- Increase automation and near real-time data for continuous monitoring
Why is FedRAMP needed?
Currently, each agency manages its own security risks and provides security assessments and authorizations for each information technology (IT) system it uses, even if other agencies have assessed, authorized, and deployed the same system. This is duplicative, inconsistent, costly, and inefficient. The existing security assessment and authorization approach used throughout the Federal government lacks focus on visibility of real-time persistent threats and mitigation actions. In accordance with OMB policy, the Office of Citizen Services and Innovative Technology (OCSIT), within the General Services Administration (GSA), is standing up and managing FedRAMP, to provide a unified and government-wide risk management framework that addresses these problems. FedRAMP increases agency confidence in the security of cloud systems in three major areas:
- Providing joint security assessments and authorizations based on a standardized baseline set of security controls
- Using approved Third Party Assessment Organizations to consistently evaluate a Cloud Service Provider’s ability to meet the security controls
- Coordinating continuous monitoring services.
When will FedRAMP launch services?
FedRAMP has launched Initial Operational Capability (IOC).
Is FedRAMP Mandatory?
Yes. FedRAMP is mandatory for Federal Agency cloud deployments and service models at the low and moderate risk impact levels. Private cloud deployments intended for single organizations and implemented fully within Federal facilities are the only exception. Additionally, each year Executive departments and agencies must submit to the Federal CIO a listing of all existing cloud services that do not meet FedRAMP requirements with the appropriate rationale and proposed resolutions. Once FedRAMP is operational, Federal Agencies have 2 years to ensure that currently implemented cloud services or those services in an active acquisition process meet FedRAMP requirements.
What kind of IT systems will FedRAMP authorize?
FedRAMP will review and authorize cloud computing systems at the FISMA low and moderate impact levels. At this point, FedRAMP will not focus on FISMA high impact levels
What restrictions are there on the use of the FedRAMP name and logo?
The use of the FedRAMP name and logo follows the standard used for a Service Mark. Its use is not allowed unless approved by the FedRAMP PMO. Request can be sent to questions@FedRAMP.gov
Who are the key organizations involved in FedRAMP?
Joint Authorization Board (JAB) – performs risk authorizations and grants the provisional ATO; members are the CIOs from the Department of Homeland Security (DHS), the General Services Administration (GSA), and the Department of Defense
FedRAMP PMO – Housed within GSA and responsible for operational management
NIST – provides technical assistance to the 3PAO process, maintains FISMA standards, and establishes technical standards
Federal CIO Council – coordinates cross agency communications
DHS – monitors and report on security incidents and provides data for continuous monitoring
Agencies – use the FedRAMP process when conducting risk assessments, security authorizations, and granting an ATO to a cloud service
Third Party Assessment Organizations – perform initial and ongoing independent verification and validation of the security controls deployed within the Cloud Service Provider’s information system.
Cloud Service Providers – Implement the security controls within their products and services needed to meet the security requirements outlined in FedRAMP.
Please see the FedRAMP Concept of Operations document for additional detail on FedRAMP roles and responsibilities.
How do Cloud Service Providers enter the FedRAMP process?
To initiate the process, a CSP or Federal Agency submits a completed FedRAMP Request Form and Federal Information Process Standards (FIPS) 1999 worksheet to FedRAMP. CSPs wishing to meet the FedRAMP requirements should work with an agency with which they have existing contracts or may contact the FedRAMP PMO at info@FedRAMP.gov. Please consult the Concept of Operations document for additional information and requirements to initiate the FedRAMP process.
Who can apply for 3PAO accreditation?
All potential 3PAOs must conform to either (1) Type A inspection body or (2) Type C inspection body according to Section 4.2 of ISO/IEC 17020:1998. Both private sector companies as well as groups within executive departments and agencies with the mission of performing independent security assessments of information systems can apply to become a FedRAMP accredited 3PAO. A Cloud Service Provider cannot be a 3PAO.
Who selects the 3PAO to perform initial and ongoing independent verification and validation of the security controls deployed within the Cloud Service Provider’s information system?
The payment and selection of a 3PAO is a contractual issue between a CSP and Federal Agency. Independence is assured through the ISO/IEC 17020:1998 requirements.
Who pays for the 3PAOs?
The payment for 3PAO services is dependent upon the contract between a CSP and Executive departments or agencies. Typically Federal Agencies require 3PAO services to be paid for by CSPs. The FedRAMP PMO will provide template contract language for Federal Agencies to use when determining the proper party to pay for 3PAO services.
Who will do the continuous monitoring and ongoing authorization of the cloud systems?
As a part of the FedRAMP requirements, Federal agencies must implement a continuous monitoring program for any cloud system they deploy. FedRAMP requirements for continuous monitoring work to coordinate ongoing security across CSPs and agencies in accordance with DHS policies and guidance. However, agencies have ultimate responsibility for the continuous monitoring and ongoing authorization of the systems they use.
How does the FedRAMP assessment process work?
The FedRAMP assessment process involves the following key process areas initiating, assessing, authorizing (provisional or Agency ATO), leveraging, and ongoing assessment and authorization. Please see the FedRAMP Concept of Operations document for detail on the assessment process.
How do I find a list of FedRAMP authorized CSPs?
The FedRAMP PMO will maintain a list of FedRAMP authorized systems on FedRAMP.gov. Additionally, the FedRAMP PMO will maintain a secure repository for agencies to review the security authorization packages to leverage.
How will cloud services be prioritized for FedRAMP review?
The JAB has defined the priority queue as:
“FedRAMP will prioritize the review of cloud systems with the objective to assess and authorize cloud systems that can be leveraged government-wide.
In order to accomplish this, FedRAMP will prioritize Secure Infrastructure as a Service (IaaS) solutions, contract vehicles for commodity services, and shared services in alignment with the Administration’s ‘Cloud First’ policy as discussed in the ‘25 Point Implementation Plan to Reform Federal Information Technology Management’.
When reviewing cloud systems according to this priority, there are two distinct categories of cloud systems: (1) cloud systems with existing Federal agency authority-to-operates (ATOs) and (2) cloud systems without an existing Federal agency ATO. FedRAMP will initially place higher priority with cloud services that have existing ATOs in order to develop lessons learned to provide for rapid maturation of FedRAMP. As FedRAMP matures, FedRAMP will review cloud systems equally from both categories as resources allow.”
What is a FedRAMP authorization and how do agencies leverage it?
In accordance with FISMA, only the head of an agency can make the risk-based determination to use IT systems. The FedRAMP JAB will review the risk posture of cloud systems and provide “provisional authorizations” based on the submitted security package. The head of an agency can then leverage the provisional authorization, including all supporting documentation, when making his or her own risk-based decision to grant an agency authorization or ATO.
What does it mean for CSPs to have a Provisional Authorization?
A provisional authorization is an initial approval of the CSP authorization package by the Joint Authorization Board (JAB) that an Executive department or agency can leverage to grant a security authorization and an accompanying Authority to Operate (ATO) for the acquisition and use of the cloud service within their Agency. The FedRAMP JAB consists of the Chief Information Officers from DOD, DHS, and GSA, supported by designated technical representatives from their respective member organizations. Before granting a provisional authorization, the JAB reviews the CSP authorization package in much the same way a leveraging agency would -- by reviewing the body of evidence contained in the authorization package provided by the CSP and verified by a 3PAO -- to make risk-based decisions regarding the use of a cloud system.
Will FedRAMP create an extra step (and burden) for Federal agencies in granting security authorizations?
No – FedRAMP will streamline the security authorization process for Federal agencies. Federal agencies must meet FedRAMP requirements for all cloud IT systems – but do not have to wait for a FedRAMP JAB provisional authorization to grant an agency-specific ATO once the FedRAMP requirements are met. Please see the FedRAMP Concept of Operations document for the process for Federal agencies to follow to complete security authorizations that meet FedRAMP requirements – both when the cloud system is and is not prioritized for review by the JAB.
Must an agency issue an Authority to Operate (ATO) for a system that has received a JAB Provisional Authorization?
Individual Federal agencies are the only entity that can issue an authority to operate (ATO). FedRAMP provisional authorization means that the Joint Authorization Board (JAB) has provided a review of the authorization package and provides an initial approval for Federal agencies to leverage when granting an ATO for a cloud system.
Are FedRAMP authorizations going to have to be re-authorized every 3 years, per OMB A-130?
In accordance with OMB Memorandum 11-33 and DHS FISMA compliance guidance, continuous monitoring programs (like the ones FedRAMP will require in accordance with NIST Special Publication 800-137 Revision 1) fulfill the three year security reauthorization process required by A-130 – making a separate re-authorization process unnecessary.
What needs to be done with cloud services that have existing ATOs?
The FedRAMP Program Management Office (PMO) will define the requirements and process by which an agency or CSP can demonstrate compliance with FedRAMP requirements for a cloud system – this will include the process for new systems as well as those with an existing ATO.
Additionally, all Executive departments and agencies shall provide to the Federal CIO annually on April 30, a certification in writing, signed jointly by the Chief Information Officer and Chief Financial Officer, a listing of all cloud services that an agency determines cannot meet the FedRAMP security authorization requirements with appropriate rationale and proposed resolutions. Accordingly, for cloud services with existing ATOs, the agency CIO and CFO must make an annual determination each April on whether or not their cloud systems can meet FedRAMP requirements or provide a documented rationale or plan of action to OMB for not doing so.
Is the cost of a FedRAMP authorization a barrier to entry for small businesses?
The FedRAMP model of ‘do once, use many times’ actually removes a barrier to entry for small businesses to work with Federal Agencies. Instead of CSPs having to expend resources for security authorizations with each Federal Agency customer, they can complete a FedRAMP authorization once and re-use with subsequent Federal Agency customers – saving both time and money.
What guidelines do agencies need to incorporate within contracts to ensure CSPs meet FedRAMP requirements?
The FedRAMP PMO will provide federal agencies with standard contract clauses and general guidelines on areas that require SLAs in cloud computing environment and additional considerations. However, specific SLAs should be covered by leveraging Agencies in their contract with the CSPs.
Is FedRAMP a new set of controls or are there new controls?
There are no “new” controls for FedRAMP. The FedRAMP security controls are based on NIST SP 800-53 R3 controls for low and moderate impact systems and contain controls and enhancements above the NIST baseline for low and moderate impact systems that address the unique elements of cloud computing.
How will FedRAMP manage and track an agency’s use of additional security controls?
The FedRAMP security controls are a baseline of controls designed to meet the needs of agencies using clouds systems at the low and moderate impact levels, but Agencies can implement additional security controls for agency specific needs. The FedRAMP PMO will provide a process for Federal agencies to address additional security controls with the FedRAMP baseline. These additional controls are not a part of the FedRAMP requirements and will be up to the individual agencies to manage.
When is a 3PAO required?
CSPs that go through FedRAMP must use a 3PAO to provide an independent verification and validation of the security implementations required by FedRAMP. FedRAMP provisional authorizations must include an assessment by a FedRAMP accredited 3PAO to ensure a consistent assessment process.
Why is FedRAMP accrediting 3PAOs?
Currently, there is no standard or guidance for CSPs and Executive departments and agencies to use when choosing 3PAOs. The FedRAMP PMO and the National Institute of Standards and Technology (NIST) have designed a conformity assessment process for use with FedRAMP to ensure the independence of and the management and technical quality of 3PAOs using a standard and consistent security assessment process.