Skip to content

M-24-15 Section IV. The FedRAMP Authorization Process

The FedRAMP program provides for the issuance of FedRAMP "authorizations," making it easier and more efficient for agencies to securely use cloud computing products and services.1 When the FedRAMP PMO confirms that a Cloud Service Offering (CSO)2 meets the rigorous standards of FedRAMP authorization requirements and approves the offering for inclusion in the Marketplace, the CSO is considered FedRAMP-authorized. A FedRAMP authorization is not an endorsement of a product or service. Rather, by certifying that a cloud product or service has completed a FedRAMP authorization process, FedRAMP establishes that the security posture of the product or service has been assessed and is presumptively adequate for use by Federal agencies. The assessment of security controls and materials within a FedRAMP authorization package should also be presumed adequate when incorporated into a broader authorization for another CSO.

The FedRAMP Board shall establish and regularly update requirements and guidelines for security authorizations of cloud computing products and services, consistent with standards and guidelines established by NIST, to be used in the determination of FedRAMP authorizations.3

a. The Presumption of Adequacy

FedRAMP should reduce duplicative work for agencies and companies alike, bringing a measure of consistency and coherence to what the Federal Government requires from cloud providers. To that end, if a given cloud product or service has a FedRAMP authorization at a given FIPS 199 impact level, the Act requires that agencies must presume the security assessment documented in the authorization package is adequate for their use in issuing an authorization to operate at or below that FIPS 199 impact level.4

This presumption of adequacy applies as long as a FedRAMP authorization is actively maintained by satisfying ongoing requirements (i.e., continuous monitoring). For this presumption to be useful, FedRAMP should ensure that its processes for authorization are usable for all types of cloud products and services and for unique agency needs. Multiple agencies must be able to rely on the FedRAMP authorizations.

This presumption of the adequacy of FedRAMP authorizations does not supersede or conflict with the authorities and responsibilities of agency heads under the Federal Information Security Modernization Act of 2014 (FISMA) to make determinations about their security needs.5 An agency may overcome this presumption if the agency determines that it has a "demonstrable need"6 for security requirements beyond those reflected in the FedRAMP authorization package,7 or that the information in the existing package is "wholly or substantially deficient for the purposes of performing an authorization" of a given product or service.8 If a new authorization is issued following additional work, the agency that performed the additional authorization work must document in the resulting authorization package the reasons that it found the previous FedRAMP package deficient. The agency will inform the FedRAMP PMO of the deficiency. The FedRAMP Director remains responsible for deciding whether an agency's additional security needs merit conducting additional FedRAMP authorization work, and thus using additional FedRAMP resources, to support a revised package.

b. Authorization Process Requirements

FedRAMP is responsible for defining the processes and criteria that must be met in order for a cloud product or service to receive a FedRAMP authorization.9 For cloud products and services that do not fall within the scope as described in Section III, a FedRAMP authorization is not required. FedRAMP should take advantage of the authorization work that is already happening within agencies that can support Government-wide reuse. To that end, the FedRAMP program will establish a process and criteria for expediting the authorization of packages submitted by interested agencies with demonstrably mature authorization processes.

FedRAMP is designed to enable use of innovative cloud technologies by Federal agencies in a way that appropriately manages risks. Accordingly, the FedRAMP authorization process should not only require CSPs to demonstrate security capabilities that meet the expectations of Federal agencies, but should also recognize the value of newer industry practices that offer alternative implementation methods that improve security and/or compensate for controls that would ordinarily be required. This process for assessing and documenting the security of cloud computing products and services is a shared responsibility between the agency and the CSP.

c. Authorization Paths

To promote reusability while accommodating different use cases within the Federal Government, FedRAMP will support the following paths to obtain FedRAMP authorization:

Agency Authorization

Agency authorizations, signed by the Federal agency's authorizing official, indicate that an agency or a joint group of agencies assessed a CSP's security posture in accordance with FedRAMP guidelines and found it acceptable. The FedRAMP Director is responsible for ensuring that authorizations can reasonably support the presumption of adequacy.

Authorizations by a single agency will be designed to enable the agency to safely use a cloud product or service in a manner consistent with that agency's use and risk tolerances.

Authorizations can also be conducted jointly by multiple agencies,10 to enable a cohort of agencies with similar needs to pool resources and achieve consensus on an acceptable risk posture for use of the cloud product or service. The FedRAMP Board will proactively identify Federal agency IT leaders to form authorization groups to expand the FedRAMP authorizing capacity of the Federal ecosystem. CSOs that receive high reuse across the Federal enterprise make likely candidates for joint authorizations to manage availability and other security risks that cannot be accounted for in an individual agency's determination of FIPS 199 impact level. For authorizations managed by multiple agencies, agencies are expected to ensure efficient communication structures and apply the presumption of adequacy.

Program Authorization

Program authorizations, signed by the FedRAMP Director, indicate that FedRAMP assessed a cloud service's security posture and found it met FedRAMP requirements and is acceptable for reuse by agency authorizing officials.

These authorizations are intended to allow the FedRAMP program to enable agencies to use a cloud product or service for which an agency sponsor has not been identified, but for which use by a number of Federal agencies could be reasonably expected should the CSO be authorized. These authorizations may also be used for cloud services that have become widely adopted by agencies since their initial FedRAMP authorization, to provide centralized and consistent oversight and risk management.

Other Paths

Any other paths to authorization, designed by the FedRAMP PMO, in consultation with OMB and NIST, and approved by the FedRAMP Board, to further promote the goals of the FedRAMP program. In all cases, any alternative pathways will adhere to the rigorous standards of the FedRAMP program.

Reponsibility

The FedRAMP PMO is responsible for ensuring that the various paths to authorization successfully achieve their goals, and for generally enabling Federal agencies to safely meet their mission needs. The FedRAMP PMO oversees the process for all FedRAMP authorizations, and works with agency program staff and authorizing officials to make necessary risk management decisions. Agency authorizing officials determine acceptable risk for their agency, and the FedRAMP Director determines acceptable risk for what can be called a FedRAMP authorization. As part of the agency authorization process, agencies may decide to authorize a CSP with an existing FedRAMP authorization at a higher impact level after applying the appropriate tailoring process.11

d. Assessing Security Postures

Regardless of the authorization path, FedRAMP should consistently assess and validate cloud providers' complex architectures and encryption schemes to ensure confidentiality, integrity, and availability of cloud computing products and services and to verify that relevant security control implementations are reasonable and operate as intended. The FedRAMP Director should draw on technical expertise across the Government and industry as necessary to ensure that these assessments can be conducted. Assessments will include reviewing documentation, and may also involve intensive, expert-led "red team"12 assessments at any point during or following the authorization process.

The FedRAMP Board represents the needs of the Federal community and the interests of the FedRAMP program as a whole, and should be responsive to the evolving needs of the Federal community and the changing nature of the cloud ecosystem. The FedRAMP Board is responsible under the Act for establishing and regularly updating requirements and guidelines for security authorizations used in the FedRAMP process.13 As such, the FedRAMP Board engages with the FedRAMP PMO and its processes as a whole and is not expected to participate in the approval of individual authorization packages.

The authorization process must integrate agile principles and recognize that security is a risk-management process. To achieve this, FedRAMP will leverage the use of threat information to prioritize control selection and implementation. FedRAMP will update its security control baselines and will tailor them using a threat-based analysis, produced in collaboration with Cybersecurity and Infrastructure Security Agency (CISA) that focuses on the application of those controls that address the most salient threats. The use of threat analysis, threat intelligence, and threat modeling will help agencies better identify the security capabilities necessary to reduce agency susceptibility to a variety of threats, including hostile cyber-attacks, natural disasters, equipment failures, errors of omission and commission, and insider threats. This process will also apply to other review procedures, including when a provider seeks to modify an existing FedRAMP-authorized service. Summary findings of this analysis will be available to agencies engaged in the FedRAMP authorization process.

e. Supporting the FedRAMP Marketplace

The FedRAMP Marketplace facilitates interagency awareness of services available for reuse. It displays cloud computing products and services that are in the process of obtaining or have completed a FedRAMP authorization. The FedRAMP Board may create additional designations for CSOs that may not constitute a full authorization. These designations may be listed on the Marketplace to encourage CSP adoption, security by design, and signify there has been coordination between FedRAMP and an agency.

Similarly, to support a robust Marketplace, agencies may in some circumstances require a FedRAMP authorization as a condition of contract award, but only if there are an adequate number of vendors to allow for effective competition, or an exception to legal competition requirements applies.14

GSA, in consultation with the FedRAMP Board and the CIO Council, develops criteria for prioritizing products and services expected to receive a FedRAMP authorization.15 GSA will ensure that these criteria prioritize products and services based on agency demand, as well as critical or emerging technologies that might otherwise remain unavailable to agencies, while facilitating the goals of this policy, such as automation, shared commercial platforms, and reuse.

GSA will identify critical technologies unavailable to agencies and ensure the criteria prioritize those technologies.

To identify more cloud service offerings that could become FedRAMP authorized, and to accelerate their eventual path to being authorized, FedRAMP will provide procedures for issuing a time-specific temporary authorization, as discussed in NIST risk management guidelines,[^22] that would allow Federal agencies to pilot the use of new cloud services that do not yet have a full FedRAMP authorization. Consistent with FedRAMP's policies and procedures, such an authorization would serve as a preliminary authorization to provide for use of the covered product or service on a trial basis for a specified period of time, not to exceed twelve months, with the goal of more easily supporting a potential full FedRAMP authorization.[^23] After twelve months, the temporary authorization will terminate, unless the CSP is in-progress for a full FedRAMP authorization. The FedRAMP PMO will provide further guidance on pilots, including any notification requirements.

  1. A FedRAMP authorization follows the steps in NIST Special Publication (SP) 800-37, Risk Management Framework for Information Systems and Organizations, but the control baselines used have been specifically tailored for cloud offerings. Agencies leverage the FedRAMP authorization package to issue their own "authorization to operate" (ATO) or "authorization to use" (ATU). FedRAMP does not replace other legal, Executive Order, regulatory, or OMB-issued compliance requirements for areas such as information management, records management, privacy, and cybersecurity. For example, agencies are responsible for implementing privacy requirements for cloud products and services in alignment with their agency privacy program. 

  2. A CSO may be a standalone cloud product or a collection of services offered together. 

  3. 44 U.S.C. § 3610(d)(2). 

  4. Id. § 3613(e)(1) 

  5. FedRAMP provides the mechanism for agencies to leverage (reuse) existing authorization artifacts (such as system security plans and assessments) for cloud offerings with a FedRAMP authorization. In doing so, the appropriate agency authorizing officials must issue an authorization when reusing artifacts (such as system security plans and assessments) in the FedRAMP repository. An authorizing official is a senior agency official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations and assets, for example. 

  6. For example, a demonstrable need might be the need for an agency to implement additional security controls to address specific legal requirements pertaining to an agency's use of the system. 

  7. 44 U.S.C. § 3613(e)(2)(B). 

  8. Id. § 3613(b). 

  9. Id. § 3609(a)(2). 

  10. A FedRAMP authorization conducted by multiple agencies is similar in concept to that of the FedRAMP Joint Authorization Board "provisional ATO" (JAB P-ATO) used under the prior FedRAMP policy structure. However, unlike a JAB P-ATO, these authorizations can be issued by any group of agencies. Existing JAB P-ATOs at the time of the issuance of this memorandum will be re-designated as determined by the FedRAMP PMO in collaboration with the CSP. 

  11. For information on impact levels, refer to NIST FIPS 199, Standards for Security Categorization of Federal Information Systems and Information Systems, at: http://csrc.nist.gov/publications. 

  12. The NIST glossary of terms, at https://csrc.nist.gov/glossary, defines "red-team" as "a group of people authorized and organized to emulate a potential adversary's attack or exploitation capabilities against an enterprise's security posture." Any red-team efforts will be performed in accordance with the Federal Acquisition Regulation and other applicable guidance provided by DHS's Cybersecurity and Infrastructure Security Agency (CISA) and the FedRAMP PMO. 

  13. 44 U.S.C. § 3610(d). 

  14. Inclusion of FedRAMP Authorization as a condition of contract award or use as an evaluation factor should be discussed with the agency acquisition integrated project team (IPT), including appropriate legal representation. Refer to FedRAMP.gov for Frequently Asked Questions regarding acquisition. 

  15. 44 U.S.C. § 3609(b)(2).