FedRAMP

Last updated
FedRAMP
FedRAMP Logo.svg
Agency overview
Formed2011

The Federal Risk and Authorization Management Program (FedRAMP) is a United States federal government-wide compliance program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. [1]

Contents

In 2011, the Office of Management and Budget (OMB) released a memorandum establishing FedRAMP "to provide a cost-effective, risk-based approach for the adoption and use of cloud services to Executive departments and agencies." [2] The General Services Administration (GSA) established the FedRAMP Program Management Office (PMO) in June 2012. The FedRAMP PMO mission is to promote the adoption of secure cloud services across the federal government by providing a standardized approach to security and risk assessment. [3] Per the OMB memorandum, any cloud services that hold federal data must be FedRAMP authorized. [4] FedRAMP prescribes the security requirements and processes that cloud service providers must follow in order for the government to use their service.

There are two ways to authorize a cloud service through FedRAMP: a Joint Authorization Board (JAB) provisional authorization (P-ATO), [5] and through individual agencies. [6]

Before the introduction of FedRAMP, individual federal agencies managed their own assessment methodologies following guidance set by the Federal Information Security Management Act of 2002. [7]

FedRAMP provides accreditation for cloud services for the various cloud offering models which are Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service, (SaaS).

Governance and applicable laws

FedRAMP is governed by different Executive Branch entities that collaborate to develop, manage, and operate the program. [8] These entities include:

There are several laws, mandates, and policies that are foundational to FedRAMP. FISMA–the Federal Information Security Modernization Act–requires that agencies authorize the information systems that they use. FedRAMP is FISMA for the cloud. The FedRAMP Policy Memo requires federal agencies to use FedRAMP when assessing, authorizing, and continuously monitoring cloud services in order to aid agencies in the authorization process as well as save government resources and eliminate duplicative efforts. [9] FedRAMP's security baselines are derived from NIST SP 800-53 (as revised) with a set of control enhancements that pertain to the unique security requirements of cloud computing.

Third-party assessment organizations

Third-party assessment organizations (3PAOs) play a critical role in the FedRAMP security assessment process, as they are the independent assessment organizations that verify cloud providers’ security implementations and provide the overall risk posture of a cloud environment for a security authorization decision. [10] Accredited by the American Association for Laboratory Accreditation (A2LA), these assessment organizations must demonstrate independence and the technical competence required to test security implementations and collect representative evidence.

FedRAMP Marketplace

The FedRAMP Marketplace provides a searchable, sortable database of Cloud Service Offerings (CSOs) that have achieved a FedRAMP designation. [11] 3PAOs, accredited auditors that can perform the FedRAMP assessment, are listed within the Marketplace. The FedRAMP Marketplace is maintained by the FedRAMP Program Management Office (PMO). [12]

See also

Related Research Articles

<span class="mw-page-title-main">Office of Management and Budget</span> Office within the Executive Office of the President of the United States

The Office of Management and Budget (OMB) is the largest office within the Executive Office of the President of the United States (EOP). OMB's most prominent function is to produce the president's budget, but it also examines agency programs, policies, and procedures to see whether they comply with the president's policies and coordinates inter-agency policy initiatives.

<span class="mw-page-title-main">.gov</span> Sponsored top-level Internet domain used by United States federal and state governments

The domain name gov is a sponsored top-level domain (sTLD) in the Domain Name System of the Internet. The name is derived from the word government, indicating its restricted use by government entities. The TLD is administered by the Cybersecurity and Infrastructure Security Agency (CISA), a component of the United States Department of Homeland Security.

<span class="mw-page-title-main">General Services Administration</span> US government agency, formed 1949

The General Services Administration (GSA) is an independent agency of the United States government established in 1949 to help manage and support the basic functioning of federal agencies. GSA supplies products and communications for U.S. government offices, provides transportation and office space to federal employees, and develops government-wide cost-minimizing policies and other management tasks.

<span class="mw-page-title-main">Federal Information Security Management Act of 2002</span> United States federal law

The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

<span class="mw-page-title-main">RightNow Technologies</span> Software company

Oracle RightNow is a customer relationship management (CRM) software service for enterprise organizations which is part of Oracle Service. It was originally developed by RightNow Technologies, Inc., which was acquired by Oracle Corporation in 2011 in a $1.8 billion deal.

The Information Technology Management Reform Act of 1996 is a United States federal law, designed to improve the way the federal government acquires, uses and disposes information technology (IT). It was passed as Division E of the National Defense Authorization Act for Fiscal Year 1996. Together with the Federal Acquisition Reform Act of 1996, it is known as the Clinger–Cohen Act.

<span class="mw-page-title-main">OMB Circular A-126</span>

OMB Circular A-126, revised May 22, 1992, is a Government circular that introduces standards and policies to minimize the cost and improve the management and use of United States Government aircraft. Specifically, OMB Circular A-126 addresses the acquisition, management, usage, cost accounting, and disposal of government aircraft.

Mobile device management (MDM) is the administration of mobile devices, such as smartphones, tablet computers, and laptops. MDM is usually implemented with the use of a third-party product that has management features for particular vendors of mobile devices. Though closely related to Enterprise Mobility Management and Unified Endpoint Management, MDM differs slightly from both: unlike MDM, EMM includes mobile information management, BYOD, mobile application management and mobile content management, whereas UEM provides device management for endpoints like desktops, printers, IoT devices, and wearables as well.

EINSTEIN was originally an intrusion detection system that monitors the network gateways of government departments and agencies in the United States for unauthorized traffic. The software was developed by the United States Computer Emergency Readiness Team (US-CERT), which is the operational arm of the National Cyber Security Division (NCSD) of the United States Department of Homeland Security (DHS). The program was originally developed to provide "situational awareness" for the civilian agencies. While the first version examined network traffic and subsequent versions examined content, the current version of EINSTEIN is significantly more advanced.

<span class="mw-page-title-main">Vivek Kundra</span> American government official

Vivek Kundra is a former American administrator who served as the first chief information officer of the United States from March, 2009 to August, 2011 under President Barack Obama. He is currently the chief operating officer at Sprinklr, a provider of enterprise customer experience management software based in NYC. He was previously a visiting Fellow at Harvard University.

In 2018, Tyler Technologies acquired Socrata, a software company that specialized in data visualization tools. Socrata offered a software system that helped businesses uncover trends and predict statistical outcomes through its data visualization tools. The company also maintained an open data server that was made open source and accessible to everyone through the use of GitHub.

NIST Special Publication 800-53 provides a catalog of security and privacy controls for all U.S. federal information systems except those related to national security. It is published by the National Institute of Standards and Technology, which is a non-regulatory agency of the United States Department of Commerce. NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Modernization Act of 2014 (FISMA) and to help with managing cost effective programs to protect their information and information systems.

The Enterprise Mission Assurance Support Service (eMASS) is a service-oriented computer application that supports Information Assurance (IA) program management and automates the Risk Management Framework (RMF) process.

Managed Trusted Internet Protocol Service (MTIPS) was developed by the US General Services Administration (GSA) to allow US Federal agencies to physically and logically connect to the public Internet and other external connections in compliance with the Office of Management and Budget's (OMB) Trusted Internet Connection (TIC) Initiative.

<span class="mw-page-title-main">Risk Management Framework</span>

The Risk Management Framework (RMF) is a United States federal government guideline, standard and process for risk management to help secure information systems developed by National Institute of Standards and Technology. The Risk Management Framework (RMF), illustrated in the diagram to the right, provides a disciplined and structured process that integrates information security, privacy and risk management activities into the system development life cycle.

Cloud computing has become a social phenomenon used by most people every day. As with every important social phenomenon there are issues that limit its widespread adoption. In the present scenario, cloud computing is seen as a fast developing area that can instantly supply extensible services by using internet with the help of hardware and software virtualization. The biggest advantage of cloud computing is flexible lease and release of resources as per the requirement of the user. Other benefits encompass betterment in efficiency, compensating the costs in operations. It curtails down the high prices of hardware and software Although, there are numerous benefits of adopting the latest cloud technology still there are privacy issues involved in cloud computing because in the cloud at any time the data can outbreak the service provider and the information is deleted purposely. There are security issues of various kinds related to cloud computing falling into two broader categories: First, the issues related to the cloud security that the cloud providers face. Secondly, the issues related to the cloud security that the customers experience

Keeper Security, Inc. (Keeper) is a provider of zero-knowledge security and encryption software covering password management, secrets management, connection management, privileged access management, dark web monitoring, digital file storage, and encrypted messaging, among other offerings. 

<span class="mw-page-title-main">Suzette Kent</span> American government official

Suzette Kuhlow Kent is an American government official who served as Federal Chief Information Officer of the United States from January 29, 2018 until July 2020. She was the fourth person to formally hold the job of Federal CIO, which was created by the E-Government Act of 2002. The Federal CIO's office is a part of the Office of Management and Budget (OMB).

The Cybersecurity Maturity Model Certification (CMMC) is an assessment framework and assessor certification program designed to increase the trust in measures of compliance to a variety of standards published by the National Institute of Standards and Technology.

Beth Anne Killoran is an American information technology executive and civil servant. She is the deputy chief information officer (CIO) of the General Services Administration. Killoran was previously the CIO of the United States Department of Health and Human Services.

References

  1. "FedRAMP.gov". FedRAMP.gov. 2020-03-26. Retrieved 2020-04-05.
  2. "Policy memo" (PDF). www.fedramp.gov. Retrieved 2020-04-05.
  3. "FedRAMP.gov". FedRAMP.gov. 2020-03-26. Retrieved 2020-04-05.
  4. "Policy memo" (PDF). www.fedramp.gov. Retrieved 2020-04-05.
  5. "Get Authorized: Joint Authorization Board". FedRAMP.gov. Retrieved 2020-04-05.
  6. "Get Authorized: Agency Authorization". FedRAMP.gov. Retrieved 2020-04-05.
  7. "DOD turns to FedRAMP and cloud brokering -- FCW". FCW. 2014-05-21. Retrieved 2020-04-05.
  8. "Governance". FedRAMP.gov. Retrieved 2020-04-05.
  9. "Policy memo" (PDF). www.fedramp.gov. Retrieved 2020-04-05.
  10. "Policy memo" (PDF). www.fedramp.gov. Retrieved 2020-04-05.
  11. "The Federal Risk And Management Program Dashboard". marketplace.fedramp.gov. Retrieved 2021-07-28.
  12. "Marketplace designations" (PDF). www.fedramp.gov. Retrieved 2020-04-05.