FedRAMP 

 
The ​Federal Risk and Authorization Management Program (FedRAMP)​ is a 
government-wide program that provides a standardized approach to security assessment, 
authorization, and continuous monitoring for cloud products and services. This approach uses 
a “do once, use many times” framework that saves cost, time, and staff required to conduct 
redundant Agency security assessments. 
 
FedRAMP​ is mandatory for Federal Agency cloud deployments and service models at the low, 
moderate, and high risk impact levels. Private cloud deployments intended for single 
organizations and implemented fully within federal facilities are the only exception. Additionally, 
Agencies must submit a quarterly report in PortfolioStat listing all existing cloud services that 
do not meet FedRAMP requirements with the appropriate rationale and proposed resolutions 
for achieving compliance. 
 
By offering a standardized approach to “Authorization, Security Assessment and continuous 
monitoring for cloud services and products” – the Federal Risk and Authorization Management 
Program or FedRAMP helps federal organizations save considerable expense and time. 
 
FedRAMP Ready means the cloud service provider (CSP) has completed a Readiness 
Assessment Report (RAR) that has been approved by the FedRAMP PMO. ... FedRAMP In 
Process means that the service is in the process of being reviewed for a JAB P-ATO or Agency 
ATO. 
 
FedRAMP ​and ​FISMA​ use the ​NIST SP 800-53​ security controls. The ​FedRAMP​ security 
controls are based on ​NIST SP 800-53​ Revision 4 baselines and contain controls above the 
NIST baseline that address the unique elements of cloud computing. 
 
 
FedRAMP ​documentation is maintained on fedramp.gov. Opportunities for large-scale public 
comment periods will be messaged via a number of channels and methods, including the 
fedramp.gov website, blog, and the ​FedRAMP​ updates email list which you can subscribe. 
 
 
The ​FedRAMP PMO​ estimates that the ​FedRAMP Readiness Assessment​ process should 
take between two to four weeks for a “mid-size, straightforward system” divided roughly half  
 
There are two types of FedRAMP authorizations for cloud services: 
 
● A​ Provisional Authority to Operate (P-ATO)​ through the Joint Authorization Board 
(JAB) 
● An ​Agency Authority to Operate (ATO) 
 
P-ATO Process 
 
A FedRAMP P-ATO is an initial approval of the CSP authorization package by the JAB that an 
Agency can leverage to grant an ATO for the acquisition and use of the cloud service within 
their Agency. The JAB consists of the Chief Information Officers (CIOs) from DOD, DHS, and 
GSA, supported by designated technical representatives (TRs) from their respective member 
organizations. A P-ATO means that the JAB has reviewed the cloud service’s authorization 
package and provided a provisional approval for Federal Agencies to leverage when granting 
an ATO for a cloud system. For a cloud service to enter the JAB process, it must first be 
prioritized through FedRAMP Connect. 
 
Agency ATO Process 
 
As part of the Agency authorization process, a CSP works directly with the Agency sponsor 
who reviews the cloud service’s security package. After completing a security assessment, the 
head of an Agency (or their designee) can grant an ATO. For more information about these two 
authorization paths 
 
 
The main distinction is that ​FedRAMP​ ​Ready ​systems are not ​FedRAMP Authorized​. 
FedRAMP Ready​ systems must still undergo an authorization process, while ​FedRAMP 
Authorized​ systems have completed the process at least once already. 
 
FedRAMP Ready ​indicates that a ​Third Party Assessment Organization​ (3PAO) attests to a 
cloud service’s readiness for the authorization process, and that a Readiness Assessment 
Report (RAR) has been reviewed and approved by the FedRAMP PMO. The RAR documents 
the cloud service’s capability to meet FedRAMP security requirements. The FedRAMP Ready 
designation is also required for any cloud service to enter the Joint Authorization Board (JAB) 
Provisional Authority to Operate (P-ATO) process. 
 
FedRAMP Authorized​, by comparison, is a designation that is given to systems that have 
completed the FedRAMP authorization process. 
 
Agencies can review the list of ​FedRAMP​ Authorized systems in the FedRAMP Marketplace to 
determine if they are suitable for their use and can issue Agency ATOs. Agency personnel can 
request access to ​FedRAMP Agency ​authorization packages in the FedRAMP Secure 
Repository by completing an access request form. 
 
 
Third Party Assessment Organizations 
 
The ​Joint Authorization Board (JAB)​ is responsible for establishing accreditation standards. 
The​ Third Party Assessment Organizations (3PAO)​ perform the security assessments of 
cloud solutions. The JAB reviews authorization packages (that include the results from the 
3PAO's assessments), and may grant provisional authorization. The federal agency consuming 
the service still has final responsibility for final authority to operate. Participating vendors sell a 
variety of hosting services, Software as a Service packages, and several 3PAOs that provide 
assessment and security consulting services to other vendors. 
 
Applicability  
 
This memorandum is applicable to:  
 
a. Executive departments and agencies procuring commercial and non-commercial cloud 
services that are provided by information systems that support the operations and assets of 
the departments and agencies, including systems provided or managed by other departments 
or agencies, contractors, or other sources;  
 
b. All cloud deployment models4 (e.g., Public Clouds, Community Clouds, Private Clouds, 
Hybrid Clouds) as defined by NIST;5 and  
 
c. All cloud service models (e.g., Infrastructure as a Service, Platform as a Service, Software as 
a Service) as defined by NIST. 
 
Checklist for CSPs (Cloud Service Provider) getting ready to undergo the FedRAMP process 
 
1. You have the ability to process electronic discovery and litigation holds 
2. You have the ability to clearly define and describe your system boundaries 
3. Review the Guide to Understanding FedRAMP 
4. You can identify customer responsibilities and what they must do to implement controls 
5. System provides identification & 2-factor authentication for network access to privileged 
accounts 
6. System provides identification & 2-factor authentication for network access to non-privileged 
accounts 
7. System provides identification & 2-factor authentication for local access to privileged 
accounts 
8. You can perform code analysis scans for code written in-house (non-COTS products) 
9. You have boundary protections with logical and physical isolation of assets 
10. You have the ability to remediate high risk issues within 30 days, medium risk within 90 
days 
11. You can provide an inventory and configuration build standards for all devices 
12. System has safeguards to prevent unauthorized information transfer via shared resources 
13. Cryptographic safeguards preserve confidentiality and integrity of data during transmission