The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. federal government program that standardizes the security assessment, risk assessment, authorization, and continuous monitoring processes for cloud services used by federal agencies.
Both commercial and non-commercial cloud services (including those developed internally by federal agencies) must comply with FedRAMP if they are to be adopted by federal entities.
Key regulatory requirements:
- A System Security Plan (SSP) that describes the cloud system boundaries, system environment, how it operates, and the security processes and policies that are in place.
- A set of standardized security controls derived from NIST SP 800-53, including access controls, incident response, contingency planning, and system and information integrity.
- Continuous monitoring and reporting on their security state, including regular reporting, change management processes, and vulnerability scanning.
- Compliance with 26 NIST 800-53 control families
- Annual security assessments conducted by a 3PAO
FedRAMP is managed by the General Services Administration (GSA), while Individual federal agencies are responsible for granting Authority to Operate (ATOs) and ensuring that the cloud services they use are FedRAMP compliant.
Non-compliance means that a cloud service provider may not be granted an ATO, effectively barring them from being adopted by federal agencies.
