FedRAMP

FedRAMP
Agency overview
Formed	2011

The Federal Risk and Authorization Management Program (FedRAMP) is a United States federal government-wide compliance program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.^[1]

In 2011, the Office of Management and Budget (OMB) released a memorandum establishing FedRAMP "to provide a cost-effective, risk-based approach for the adoption and use of cloud services to Executive departments and agencies."^[2] The General Services Administration (GSA) established the FedRAMP Program Management Office (PMO) in June 2012. The FedRAMP PMO mission is to promote the adoption of secure cloud services across the federal government by providing a standardized approach to security and risk assessment.^[3] Per the OMB memorandum, any cloud services that hold federal data must be FedRAMP authorized.^[4] FedRAMP prescribes the security requirements and processes that cloud service providers must follow in order for the government to use their service.

There are two ways to authorize a cloud service through FedRAMP: a Joint Authorization Board (JAB) provisional authorization (P-ATO),^[5] and through individual agencies.^[6]

Before the introduction of FedRAMP, individual federal agencies managed their own assessment methodologies following guidance set by the Federal Information Security Management Act of 2002.^[7]

FedRAMP provides accreditation for cloud services for the various cloud offering models which are Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service, (SaaS).

^ "FedRAMP.gov". FedRAMP.gov. 2020-03-26. Retrieved 2020-04-05.
^ "Policy memo" (PDF). www.fedramp.gov. Retrieved 2020-04-05.
^ "FedRAMP.gov". FedRAMP.gov. 2020-03-26. Retrieved 2020-04-05.
^ "Policy memo" (PDF). www.fedramp.gov. Retrieved 2020-04-05.
^ "Get Authorized: Joint Authorization Board". FedRAMP.gov. Retrieved 2020-04-05.
^ "Get Authorized: Agency Authorization". FedRAMP.gov. Retrieved 2020-04-05.
^ "DOD turns to FedRAMP and cloud brokering -- FCW". FCW. 2014-05-21. Archived from the original on 2020-10-31. Retrieved 2020-04-05.

[1] "FedRAMP.gov". FedRAMP.gov. 2020-03-26. Retrieved 2020-04-05.

[2] "Policy memo" (PDF). www.fedramp.gov. Retrieved 2020-04-05.

[3] "FedRAMP.gov". FedRAMP.gov. 2020-03-26. Retrieved 2020-04-05.

[4] "Policy memo" (PDF). www.fedramp.gov. Retrieved 2020-04-05.

[5] "Get Authorized: Joint Authorization Board". FedRAMP.gov. Retrieved 2020-04-05.

[6] "Get Authorized: Agency Authorization". FedRAMP.gov. Retrieved 2020-04-05.

[7] "DOD turns to FedRAMP and cloud brokering -- FCW". FCW. 2014-05-21. Archived from the original on 2020-10-31. Retrieved 2020-04-05.

[1]

[2]

[3]

[4]

[5]

[6]

[7]