The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. government–wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. It is the result of close collaboration with cybersecurity and cloud experts from GSA, NIST, DHS, DOD, NSA, OMB, the Federal CIO Council and its working groups, and private industry.
FedRAMP goals include:
- Accelerate the adoption of secure cloud solutions through reuse of assessments and authorizations
- Increase confidence in security of cloud solutions
- Achieve consistent security authorizations using a baseline set of agreed-upon standards to be used for cloud product approval in or outside of FedRAMP
- Ensure consistent application of existing security practices
- Increase confidence in security assessments
- Increase automation and near-real-time data for continuous monitoring
FedRAMP enables the reuse of existing security assessments across the U.S. government while simultaneously providing improved real-time security visibility. Central to this strategy is the FedRAMP Joint Authorization Board (JAB), which was tasked with
reviewing security assessment packages based on a prioritized approach. The JAB can also grant provisional CSP authorization that all federal agencies can leverage when granting an agency authority to operate, which saves both time and money.
Another FedRAMP innovation was the establishment of Third-Party Assessment Organizations (3PAOs), which were authorized by the federal government to independently verify and validate the implementation of security controls within a CSP environment.
The JAB established the criteria necessary to qualify as a 3PAO. Certifying criteria includes independence and quality management specifications based on ISO/IEC standards to ensure the requisite independence and quality systems needed to assess the security control implementations by CSPs. Technical competency criteria were also set based on an evaluation of knowledge of security authorizations to ensure the requisite skills and expertise to conduct such assessments.
The FedRAMP assessment process is initiated by agencies or cloud service providers by starting a security authorization using the FedRAMP requirements, which are FISMA compliant and based on the NIST 800-53r4, and initiating work with the FedRAMP PMO. CSPs must implement the FedRAMP security requirements on their environment and hire a FedRAMP-approved 3PAO to perform an independent assessment to audit the cloud system and provide a security assessment package for review.