FedRAMP

{{Short description|US government cybersecurity program}}{{Infobox government agency

| logo = File:FedRAMP_Logo.svg

| formed = 2011

}}

The Federal Risk and Authorization Management Program (FedRAMP) is a United States federal government-wide compliance program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.{{cite web | title=FedRAMP.gov | website=FedRAMP.gov | date=2020-03-26 | url=https://fedramp.gov/ | access-date=2020-04-05}}

In 2011, the Office of Management and Budget (OMB) released a memorandum establishing FedRAMP "to provide a cost-effective, risk-based approach for the adoption and use of cloud services to Executive departments and agencies."{{cite web |url=https://www.fedramp.gov/assets/resources/documents/FedRAMP_Policy_Memo.pdf |title=Policy memo |last= |first= |date= |website=www.fedramp.gov |format=PDF|access-date=2020-04-05}} The General Services Administration (GSA) established the FedRAMP Program Management Office (PMO) in June 2012. The FedRAMP PMO mission is to promote the adoption of secure cloud services across the federal government by providing a standardized approach to security and risk assessment.{{cite web | title=FedRAMP.gov | website=FedRAMP.gov | date=2020-03-26 | url=https://fedramp.gov/ | access-date=2020-04-05}} Per the OMB memorandum, any cloud services that hold federal data must be FedRAMP authorized.{{cite web |url=https://www.fedramp.gov/assets/resources/documents/FedRAMP_Policy_Memo.pdf |title=Policy memo |last= |first= |date= |website=www.fedramp.gov |format=PDF|access-date=2020-04-05}} FedRAMP prescribes the security requirements and processes that cloud service providers must follow in order for the government to use their service.

There are two ways to authorize a cloud service through FedRAMP: a Joint Authorization Board (JAB) provisional authorization (P-ATO),{{cite web | title=Get Authorized: Joint Authorization Board | website=FedRAMP.gov | url=https://fedramp.gov/jab-authorization/ | access-date=2020-04-05}} and through individual agencies.{{cite web | title=Get Authorized: Agency Authorization | website=FedRAMP.gov | url=https://fedramp.gov/agency-authorization/ | access-date=2020-04-05}}

Before the introduction of FedRAMP, individual federal agencies managed their own assessment methodologies following guidance set by the Federal Information Security Management Act of 2002.{{cite web | title=DOD turns to FedRAMP and cloud brokering -- FCW | website=FCW | date=2014-05-21 | url=https://fcw.com/articles/2014/05/21/drill-down-dod-fedramp-and-cloud-brokering.aspx | access-date=2020-04-05 | archive-date=2020-10-31 | archive-url=https://web.archive.org/web/20201031105521/https://fcw.com/articles/2014/05/21/drill-down-dod-fedramp-and-cloud-brokering.aspx | url-status=dead }}

FedRAMP provides accreditation for cloud services for the various cloud offering models which are Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service, (SaaS).

Governance and applicable laws

FedRAMP is governed by different Executive Branch entities that collaborate to develop, manage, and operate the program.{{cite web | title=Governance | website=FedRAMP.gov | url=https://fedramp.gov/governance/ | access-date=2020-04-05}} These entities include:

The Office of Management and Budget (OMB): The governing body that issued the FedRAMP policy memo, which defines the key requirements and capabilities of the program
The Joint Authorization Board (JAB): The primary governance and decision-making body for FedRAMP comprises the chief information officers (CIOs) from the Department of Homeland Security (DHS), General Services Administration (GSA), and Department of Defense (DOD)
The National Institute of Standards and Technology (NIST): Advises FedRAMP on FISMA compliance requirements and assists in developing the standards for the accreditation of independent 3PAOs
The Department of Homeland Security (DHS): Manages the FedRAMP continuous monitoring strategy including data feed criteria, reporting structure, threat notification coordination, and incident response
The Federal Chief Information Officers (CIO) Council: Disseminates FedRAMP information to Federal CIOs and other representatives through cross-agency communications and events
The FedRAMP PMO: Established within GSA and responsible for the development of the FedRAMP program, including the management of day-to-day operations

There are several laws, mandates, and policies that are foundational to FedRAMP. FISMA–the Federal Information Security Modernization Act–requires that agencies authorize the information systems that they use. FedRAMP is FISMA for the cloud. The FedRAMP Policy Memo requires federal agencies to use FedRAMP when assessing, authorizing, and continuously monitoring cloud services in order to aid agencies in the authorization process as well as save government resources and eliminate duplicative efforts.{{cite web |url=https://www.fedramp.gov/assets/resources/documents/FedRAMP_Policy_Memo.pdf |title=Policy memo |last= |first= |date= |website=www.fedramp.gov |format=PDF|access-date=2020-04-05}} FedRAMP's security baselines are derived from NIST SP 800-53 (as revised) with a set of control enhancements that pertain to the unique security requirements of cloud computing.

Third-party assessment organizations

Third-party assessment organizations (3PAOs) play a critical role in the FedRAMP security assessment process, as they are the independent assessment organizations that verify cloud providers’ security implementations and provide the overall risk posture of a cloud environment for a security authorization decision.{{cite web |url=https://www.fedramp.gov/assets/resources/documents/FedRAMP_Policy_Memo.pdf |title=Policy memo |last= |first= |date= |website=www.fedramp.gov |format=PDF|access-date=2020-04-05}} Accredited by the American Association for Laboratory Accreditation (A2LA), these assessment organizations must demonstrate independence and the technical competence required to test security implementations and collect representative evidence.

FedRAMP Marketplace

The FedRAMP Marketplace provides a searchable, sortable database of Cloud Service Offerings (CSOs) that have achieved a FedRAMP designation.{{Cite web|title=The Federal Risk And Management Program Dashboard|url=https://marketplace.fedramp.gov/|access-date=2021-07-28|website=marketplace.fedramp.gov}} 3PAOs, accredited auditors that can perform the FedRAMP assessment, are listed within the Marketplace. The FedRAMP Marketplace is maintained by the FedRAMP Program Management Office (PMO).{{cite web |url=https://www.fedramp.gov/assets/resources/documents/FedRAMP_Marketplace_Designations_for_Cloud_Service_Providers.pdf |title= Marketplace designations |date= |website= www.fedramp.gov|format=PDF|access-date=2020-04-05}}

References

External links

{{Official website|https://www.fedramp.gov}}
[https://marketplace.fedramp.gov/ FedRAMP Marketplace]
[https://www.fismacenter.com/fedrampmemo.pdf FedRAMP memo (2011)]
[https://www.fedramp.gov/20x/ FedRAMP 20x]

Category:Computer security standards

Category:Cloud computing

Category:United States Office of Management and Budget

Category:Internet properties established in 2011

Category:Government agencies established in 2011

Category:Internet security

Category:2011 establishments in Washington, D.C.