close search bar

Sorry, not available in this language yet

close language selection

Definition

The Federal Risk and Authorization Management Program (FedRAMP) is a United States government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

FedRAMP enables federal agencies and cloud solution providers (CSPs) to adapt rapidly from old, insecure, legacy IT to mission-enabling, secure, cost-effective, cloud-based IT.

FedRAMP defines and manages a core set of processes to ensure effective, repeatable cloud security for the government. It also established a mature marketplace to increase the use of and familiarity with cloud services while facilitating collaboration across government through the open exchange of lessons learned, use cases, and tactical solutions

What are the goals of FedRAMP?

FedRAMP aims to:

  • Accelerate the adoption of secure cloud solutions through reuse of assessments and authorizations
  • Improve confidence in the security of cloud solutions and security assessments
  • Achieve consistent security authorizations using a baseline set of agreed-upon standards for cloud product approval in or outside of FedRAMP
  • Ensure consistent application of existing security practices
  • Increase automation and use of near-real-time data for continuous monitoring

What are the FedRAMP governance bodies?

The governance of FedRAMP is performed by various executive branch entities that work collaboratively to develop, manage, and operate the program. FedRAMP governing bodies include the following:

  • Joint Authorization Board (JAB) is the primary governance and decision-making body for FedRAMP. It includes the chief information officers (CIOs) from the Department of Homeland Security (DHS), General Services Administration (GSA), and Department of Defense (DOD).
  • Office of Management and Budget (OMB) is the governing body that issued the FedRAMP policy memo, which defines the key requirements and capabilities of the program.
  • CIO Council disseminates FedRAMP information to federal CIOs and other representatives through cross-agency communications and events.
  • FedRAMP Program Management Office (PMO) is within GSA and is responsible for the development of the FedRAMP program including the management of day-to-day operations.
  • Department of Homeland Security (DHS) manages the FedRAMP continuous monitoring strategy including data feed criteria, reporting structure, threat notification coordination, and incident response.
  • National Institute for Standards and Technology (NIST) advises FedRAMP on Federal Information Security Modernization Act (FISMA) compliance requirements and assists in developing the standards for the accreditation of independent third-party assessment organizations (3PAOs).
FedRAMP Branding Guidance |  Black Duck

What requires FedRAMP compliance?

Per an OMB memorandum, any cloud services offering (CSO) that holds federal data must be FedRAMP authorized.

FedRAMP compliance is mandatory for federal agency cloud deployments and service models at the low-, moderate-, and high-risk impact levels. Private cloud deployments intended for single organizations and implemented fully within federal facilities are the only exception.


What types of authorizations are available for FedRAMP?

FedRAMP cloud service authorizations include:


Who is involved in FedRAMP authorization?

  • Federal agencies can save money and time by adopting innovative cloud services to meet their critical mission needs.
  • CSPs offer cloud services that allow federal agencies to meet their mission needs securely and quickly.
  • 3PAOs perform initial and periodic assessments of cloud systems to ensure they meet FedRAMP requirements.

How do federal agencies, CSPs, and 3PAOs satisfy FedRAMP requirements?

The FedRAMP Security Controls Baseline document provides an overview of the security controls, enhancements, parameters, requirements, and guidance listed in the FedRAMP System Security Plan templates.

Federal agencies and CSPs must implement these security controls, enhancements, parameters, and requirements within a cloud computing environment to satisfy FedRAMP requirements. The security controls and enhancements have been selected from the NIST SP 800-53 Revision 4 catalog of controls. The selected controls and enhancements are for cloud systems designated at the low-, moderate-, and high-impact information systems as defined in Federal Information Processing Standards (FIPS) Publication 199.


How can Black Duck help satisfy FedRAMP requirements?

Application security (AppSec) is a significant component of achieving FedRAMP compliance, and Black Duck can address all your AppSec needs and controls. The Black Duck portfolio includes AppSec tools and services that help address many of the FedRAMP control families.

  • Awareness and training
  • Configuration management
  • Identification and authentication
  • Planning
  • Risk assessment
  • Security assessment and authorization
  • System and information integrity
  • System and services acquisition
Black Duck tools and services provide full or partial compliance for AppSec-related FedRAMP needs and controls.
Application security tools and services | Black Duck