The Federal Risk and Authorization Management Program, or FedRAMP, is a federal government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud services and cloud products offered by cloud service providers (CSPs).
Steven VanRoekel, U.S. Chief Information Officer, introduced FedRAMP in a December 2011 memorandum to federal agency CIOs to improve the state of information technology in the federal government. It pushed agencies to explore cloud computing options before they spent money on new infrastructure. As the number of agencies that moved to the cloud increased, so did the need for enhanced security.
Before FedRAMP, each federal agency managed its own security assessment methodology by adhering to guidance loosely set by the Federal Information Security Management Act (FISMA) of 2002.
The FedRAMP authorization process is aimed at making it easier for federal agencies to contract with CSPs by determining if those providers meet federal cloud security guidelines. As part of this process, each CSP is assessed by a third-party assessment organization, or 3PAO, which certifies CSPs as FedRAMP compliant if they meet the intensive security guidelines.
The heart of FedRAMP is the National Institute of Standards and Technology’s (NIST) Special Publication 800-53, which provides a catalog of information security controls specifically selected to provide protection in cloud computing environments.
There are three security baseline levels of FedRAMP authorization:
- Low impact
- Moderate impact
- High impact
These levels depend on the different kinds of data that CSPs are managing and the ways in which they need to secure and protect that data. These levels refer to the intensity of a potential impact that may occur if an information system is jeopardized.
In addition, the FedRAMP program has established a Joint Authorization Board (JAB) that is made up of chief information officers from the U.S. Department of Defense (DoD), U.S. Department of Homeland Security (DHS), and the General Services Administration (GSA).
The JAB is responsible for establishing the FedRAMP accreditation standards and it also reviews authorization packages, including results from the assessments done by the 3PAOs. The JAB may grant provisional authorization for CSPs to operate. However, the federal agency consuming the service still has responsibility for granting the cloud service provider the final authority to operate (ATO).
Although it can be difficult to obtain a FedRAMP certification, the accreditation is necessary for cloud service providers that want to work with the U.S. government.