The Federal Risk and Authorization Management Program (FedRAMP) offers a standardized approach to security authorizations for cloud service offerings. An individual agency or the Joint Authorization Board (JAB) can start the authorization process. Assume an agency or the JAB accepts the risk outlined in the System Security Plan (SSP) and actively collaborates with the Cloud Service Provider (CSP) to obtain FedRAMP Authorization. In that case, the CSP receives FedRAMP in Process status.
FedRAMP has released an updated Agency Authorization Playbook that includes best practices, tips, and step-by-step instructions for agencies looking to conduct initial FedRAMP Authorizations or reuse FedRAMP Authorized Cloud Service Offerings (CSO). The playbook is intended to inform federal agencies about the FedRAMP Authorization process, but the information is also useful to all FedRAMP stakeholders.
The playbook includes information on using the FedRAMP Marketplace.
-Understanding the FedRAMP reuse procedure.
- The Federal RAMP Agency Liaison program.
- The FedRAMP PMO’s package review procedure for Agency Authorizations.
- Additional information about Collaborative Continuous Monitoring.
FISMA & FedRAMP
The Federal Information Security Management Act (FISMA) and the Federal Risk and Authorization Management Program (FedRAMP) both aim to protect government data and reduce information security risk within federal information systems. However, the two are not identical.
FISMA is a 2002 law that establishes compliance requirements for the storage and processing of government data. It requires federal agencies and their private-sector vendors to implement information security controls that safeguard the data security postures of federal information systems. All private-sector firms that sell services to the federal government must follow FISMA regulations. NIST SP 800-53 is the primary framework for ensuring FISMA compliance. FISMA assessments have traditionally focused on information systems supporting a single agency.
FedRAMP, on the other hand, is a government-wide program that provides federal agencies with a standardized approach to assessing, authorizing, and managing cloud security. FedRAMP-evaluated systems for government agencies are commercial cloud-based systems (such as IaaS, PaaS, and SaaS) used by private-sector enterprises. The government enacted FedRAMP to make it easier for agencies to procure cloud service providers. If a cloud service provider is actively working with an agency or the Joint Authorization Board (JAB) to obtain a FedRAMP authorization, the CSP is granted FedRAMP in Process status.
FedRAMP Marketplace
The FedRAMP Marketplace includes a searchable and sortable database of FedRAMP-designated Cloud Service Offerings (CSOs), a list of federal agencies that use them, and FedRAMP-certified auditors (3PAOs) who can assess them.
FedRAMP Authorized Cloud Service Providers (CSPs) include leading cloud-based enterprise solutions like Microsoft, IBM, Amazon Web Services, and Salesforce.
