FedRAMP
What is FedRAMP?
FedRAMPA U.S. government program that standardizes security assessment, authorization, and continuous monitoring for cloud services used by federal agencies.
The Federal Risk and Authorization Management Program (FedRAMP) was established in 2011 and codified into law by the FedRAMP Authorization Act of 2022. It provides a single, reusable security authorization for Cloud Service Offerings (CSOs) sold to U.S. federal agencies. Cloud Service Providers undergo assessment by an accredited Third-Party Assessment Organization (3PAO) against NIST SP 800-53 baselines (Low, Moderate, High) and receive either a Joint Authorization Board P-ATO or an Agency ATO. Authorized services are listed on the FedRAMP Marketplace and require continuous monitoring, monthly POA&M updates, and incident reporting to CISA. The program reduces duplicate audits and is run by GSA with OMB oversight.
● Examples
- 01
A SaaS vendor pursuing a FedRAMP Moderate ATO so federal agencies can purchase its product.
- 02
An agency reusing an existing FedRAMP High P-ATO to onboard a cloud collaboration service.
● Frequently asked questions
What is FedRAMP?
A U.S. government program that standardizes security assessment, authorization, and continuous monitoring for cloud services used by federal agencies. It belongs to the Compliance & Frameworks category of cybersecurity.
What does FedRAMP mean?
A U.S. government program that standardizes security assessment, authorization, and continuous monitoring for cloud services used by federal agencies.
How do you defend against FedRAMP?
Defences for FedRAMP typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for FedRAMP?
Common alternative names include: Federal Risk and Authorization Management Program.