What is FedRAMP Compliance?
The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. government regulation that dictates a standardized approach for security assessment, authorization, and continuous monitoring of cloud products and services offered by cloud service providers (CSPs); these products and services are collectively referred to as Cloud Service Offerings (CSOs).
FedRAMP was introduced in 2011 as a memorandum to government agencies CIOs to improve the state of their information technology systems within the federal government. It encourages agencies to explore cloud computing options before they allocate financial resources to new infrastructure.
Prior to FedRAMP, every federal agency managed its own security assessments based on guidance provided by the Federal Information Security Management Act (FISMA). That resulted in a scattershot, indisciplined approach to assessing the security of CSPS. Before FedRAMP, each agency using a cloud product or service had to conduct a security assessment and issue an Authority to Operate (ATO), under FedRAMPan ATO can be inherited in full or part reducing the administrative burden and length of time to compliance when being acquired by a new agency.
FedRAMP affects both federal agencies, such as the Department of Defense (DoD) and the Department of Homeland Security (DHS); as well as CSPs. Federal Agencies are required to ensure their cloud products and services are FedRAMP compliant and CSPs are responsible for attaining and maintaining FedRAMP compliance for their products and services. FedRAMP authorization seeks to determine whether CSPs meet the appropriate federal cloud security guidelines.
To qualify, CSPs must be audited by a FedRAMP accredited third-party assessment organization (3PAO) to confirm whether they are FedRAMP-compliant.