Skip to main content

Governance

How FedRAMP® is Governed

FedRAMP is governed by different executive branch entities that work in a collaborative manner to develop, manage, and operate the program. The governing entities of FedRAMP include:

FedRAMP Board previously the Joint Authorization Board (JAB)

The FedRAMP Board as established by the FedRAMP Authorization Act will operate as the current state JAB until further guidance is provided by OMB and the Board Charter is revised accordingly.

The JAB is the primary governance and decision-making body for FedRAMP. The JAB consists of the Chief Information Officers from the Department of Defense (DoD), the Department of Homeland Security (DHS), and the General Services Administration (GSA). The JAB is responsible for:

  • Defining and regularly updating the FedRAMP security authorization requirements
  • Approving accreditation criteria for Third Party Assessment Organizations (3PAOs)
  • Reviewing authorization packages for cloud services based on the priority queue
  • Granting provisional authorizations for cloud services that can be used as an initial approval that Executive departments and agencies leverage in granting security authorizations and an accompanying Authority to Operate (ATO) for use
  • Ensuring that provisional authorizations are reviewed and updated regularly and notify Executive departments and agencies of any changes to provisional authorizations including removal of such authorizations
  • Establishing and publishing priority queue requirements for authorization package reviews

Office of Management and Budget (OMB)

The governing body that issued the FedRAMP policy memo which defines the key requirements and capabilities of the program.

Chief Information Officer (CIO) Council

Disseminates FedRAMP information to Federal CIOs and other representatives through cross-agency communications and events.

National Institute for Standards and Technology (NIST)

Advises FedRAMP on Federal Information Security Modernization Act (FISMA) compliance requirements.

Federal Secure Cloud Advisory Committee (FSCAC)

Provides advice and recommendations to the GSA Administrator, the FedRAMP Board, and agencies on technical, financial, programmatic, and operational matters regarding secure adoption of cloud computing products and services.