What is Federal Risk and Authorization Management Program?

The FedRAMP Program Management Office (PMO) provides guidance to Cloud Service Providers (CSPs) and Third-Party Assessors (3PAOs) on how to deliver a high quality authorization package.

*Source: https://www.fedramp.gov/faqs/

NIST provides standards and guidelines pertaining to risk management, information security, and privacy controls for information systems that are used by the U.S. federal government. FedRAMP uses NIST as part of its own framework to ensure that U.S. government agencies are using cloud services securely and efficiently.

Cloud service providers must demonstrate that their products meet FedRAMP compliance requirements in order to be certified or FedRAMP-authorized. To demonstrate compliance, they must:

• Implement proper security controls
• Complete a system security plan
• Obtain review from a FedRAMP third-party assessment organization
• Develop a plan of action to address any security weaknesses that are identified
• Implement a program to continuosly monitor any risks or vulnerabilities to the system

The FedRAMP authorization package consists of a System Security Plan that is prepared by the cloud service provider and a Security Assessment Plan, which is completed by a FedRAMP-approved third-party assesment organization.

*Source: https://blog.hootsuite.com/what-is-fedramp/