FedRAMP

Established in 2011, FedRAMP was created to accelerate the adoption of cloud computing across the federal government while ensuring consistent security standards. The program is managed by the FedRAMP Program Management Office (PMO) within the General Services Administration (GSA) and works in conjunction with the Department of Homeland Security, the Department of Defense, and NIST.

FedRAMP defines three impact levels based on FIPS 199 categorization: Low, Moderate, and High. Each level corresponds to a different set of security controls derived from NIST SP 800-53. Low-impact systems require approximately 125 controls, Moderate-impact systems require around 325 controls, and High-impact systems require approximately 421 controls. The vast majority of federal data falls into the Moderate category.

Cloud service providers (CSPs) can achieve FedRAMP authorization through two paths. A Joint Authorization Board (JAB) Provisional Authority to Operate (P-ATO) involves review by representatives from DHS, DOD, and GSA and is typically sought by CSPs serving multiple agencies. Alternatively, an Agency Authority to Operate (ATO) involves a single agency sponsoring and authorizing the CSP for its specific use case.

The authorization process includes documentation preparation, a security assessment conducted by an accredited Third-Party Assessment Organization (3PAO), remediation of findings, and authorization by the JAB or sponsoring agency. Once authorized, CSPs must maintain their authorization through continuous monitoring, which includes monthly vulnerability scanning, annual assessments, and ongoing reporting of security incidents and significant changes.