Skip to content

M-24-15 Section II. Vision

The purpose of the FedRAMP program is to increase Federal agencies' adoption and secure use of the commercial cloud, by providing a standardized, reusable approach to security assessments and authorizations for cloud computing products and services. Through centralization, FedRAMP reduces duplicative authorization activities, allowing CSPs to deliver and agencies to adopt secure cloud services more efficiently. Focusing FedRAMP on the highest value work, as outlined in this guidance, will support broader efforts to reduce the nation's cybersecurity risks, contributing to a more stable technology ecosystem by incentivizing CSPs to make security improvements that protect all of their Federal Government customers.

The goal of this guidance is to strengthen and enhance the FedRAMP program.

FedRAMP has provided significant value to date, but the program must change to meet the needs of Federal agencies and the evolving cloud marketplace. The FedRAMP Marketplace must scale dramatically to enable Federal agencies to work with many thousands of different cloud-based services that accelerate key agency operations while allowing agencies to reduce the footprint of the information technology (IT) infrastructure that they directly manage.1

Strategic Goals and Responsibilities

To achieve this, FedRAMP has several strategic goals and responsibilities:

  • Lead an information security program grounded in technical expertise and risk management. FedRAMP is a security program that should, in consultation with industry and security experts across the Federal Government, focus Federal agencies and CSPs on the most impactful security features that protect Federal agencies from the most salient threats. To do this, FedRAMP must be capable of conducting rigorous reviews and identifying and requiring CSPs to rapidly mitigate weaknesses in their security architecture. At the same time, FedRAMP is a bridge between industry and the Federal Government, and is expected to thoughtfully navigate situations where unthinking adherence to standard agency practices in a commercial cloud environment could lead to unexpected or undesirable security outcomes.

  • Rapidly increase the size of the FedRAMP Marketplace by evolving and offering additional FedRAMP authorization paths. FedRAMP has the challenging task of defining core security expectations for FedRAMP authorizations that will support the statutory presumption of their adequacy and lead to their reuse at the appropriate Federal Information Processing Standards Publication (FIPS) 199 impact level by agencies with a wide variety of risk postures.2 The presumption of adequacy is intended to engender trust in the FedRAMP Marketplace, create a consistent experience for cloud providers when navigating Federal security requirements, and ensure strong justifications for agency-specific requirements in the FedRAMP process. FedRAMP will develop alternative authorization paths for cloud computing products and services, beyond those described in this document, that embrace risk management principles, consistent with National Institute of Standards and Technology (NIST) standards and guidelines, and provide flexibility to agencies.

  • Streamlining processes through automation. It is essential that FedRAMP establish an automated process for the intake, use, and reuse of security assessments and reviews. Automating the intake and processing of machine-readable security documentation, continuous monitoring data, and other relevant artifacts will reduce the burden on program participants and increase the speed of implementing cloud solutions in a timely manner.

  • Leverage shared infrastructure between the Federal Government and private sector. FedRAMP should not incentivize or require commercial cloud providers to create separate, dedicated offerings for Federal use, whether through its application of Federal security frameworks or other program operations. The Federal Government benefits from the investment, security maintenance, and rapid feature development that commercial cloud providers give to their core products to succeed in the marketplace. Commercial providers similarly are incentivized to integrate improved security practices that emerge from their engagement with FedRAMP into their core services, benefiting all customers.

FedRAMP's Structure

Structurally, FedRAMP consists of two parts: the PMO and the FedRAMP Board.

The PMO, located within GSA and led by the FedRAMP Director, is responsible for operating a security authorization process that meets the needs of Federal agencies, provides a navigable experience for CSPs, and complies with applicable laws and policies, including this memorandum.

The FedRAMP Board, composed of Federal technology leaders appointed by OMB, provides input to GSA, establishes guidelines and requirements for security authorizations, consistent with relevant standards and guidelines of NIST, and supports and promotes the program within the Federal community.

  1. The FedRAMP Marketplace shows cloud computing products and services that are in progress or have completed a FedRAMP authorization. For additional information, refer to: https://marketplace.fedramp.gov

  2. Refer to NIST FIPS 199, Standards for Security Categorization of Federal Information Systems and Information Systems, at: http://csrc.nist.gov/publications