FedRAMP – The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
In their blog StackArmor explain the FedRAMP program:
“FedRAMP certification is a security and compliance accreditation requirement for commercial Cloud Service Providers (CSP) looking to sell their solutions to US Government agencies. FedRAMP certifications are managed by the General Services Administration (GSA) which is a US Government agency operating the program.”
The goal is an approve once use many program, addressing a key challenge that each agency had to repeat the same intensive audit and approval process of Cloud services, meaning a massive duplication of efforts. Now once a service is FedRAMP approved it’s available to any agency to use.
Furthermore agencies can sponsor the process for Cloud, such as the U.S. Customs and Border Protection doing so for Questionmark’s FedRAMP Authorization.
As they describe on the FedRAMP site:
“FedRAMP standardizes the Federal Government’s requirements and approach to security assessment, authorization, and monitoring of cloud products and services. The FedRAMP program established several cloud security baselines in accordance with FISMA and OMB A-130 and aligned with the NIST RMF and NIST SP 800-53.
In accordance with FISMA, each agency is required to issue an Authority to Operate (ATO) to authorize operation and accept the risk of using an information system. FISMA, and the President’s Executive Order, require agency heads to be responsible for information security risk within that agency and, while FedRAMP helps streamline and support agency risk determinations, ultimately that responsibility lies with the individual agency.”
Accreditation is achieved via the ‘JAB process‘, to achieve an ‘ATO’ – Authority to Operate: