The Federal Risk and Authorization Management Program (FedRAMP) is a program that provides a standardized approach to security assessment, authorization, and continuous monitoring of cloud products and services that are used by U.S. government agencies. FedRAMP was designed to help streamline the adoption of cloud products and ensure that the appropriate security measures are always in place.
The FedRAMP Program Management Office (PMO) provides guidance to Cloud Service Providers (CSPs) and Third-Party Assessors (3PAOs) on how to deliver a high quality authorization package.
*Source: https://www.fedramp.gov/faqs/
NIST provides standards and guidelines pertaining to risk management, information security, and privacy controls for information systems that are used by the U.S. federal government. FedRAMP uses NIST as part of its own framework to ensure that U.S. government agencies are using cloud services securely and efficiently.
Cloud service providers must demonstrate that their products meet FedRAMP compliance requirements in order to be certified or FedRAMP-authorized. To demonstrate compliance, they must:
The FedRAMP authorization package consists of a System Security Plan that is prepared by the cloud service provider and a Security Assessment Plan, which is completed by a FedRAMP-approved third-party assesment organization.
Read our guides to learn best practices on how to eliminate issues and risks and launch high-quality, compliant products to market.