Overview
The Federal Risk and Authorization Management Program (FedRAMP®) was established in 2011 to provide a cost-effective, risk-based approach for the adoption and use of cloud services by the federal government. FedRAMP empowers agencies to use modern cloud technologies, with an emphasis on security and protection of federal information. In December 2022, the FedRAMP Authorization Act was signed as part of the FY23 National Defense Authorization Act (NDAA). The Act codifies the FedRAMP program as the authoritative standardized approach to security assessment and authorization for cloud computing products and services that process unclassified federal information.
Mission
FedRAMP is a government-wide program that promotes the adoption of secure cloud services across the federal government by providing a standardized approach to security and risk assessment for cloud technologies and federal agencies.
Benefits
- Reduces duplicative efforts, inconsistencies, and cost inefficiencies.
- Establishes a public-private partnership to promote innovation and the advancement of more secure information technologies.
- Enables the federal government to accelerate the adoption of cloud computing by creating transparent standards and processes for security authorizations and allowing agencies to leverage security authorizations on a government-wide scale.
Goals
- Grow the use of secure cloud technologies in use by government agencies.
- Enhance the framework by which the government secures and authorizes cloud technologies.
- Build and foster strong partnerships with FedRAMP stakeholders.
Legal Framework
FedRAMP standardizes security requirements for the authorization and ongoing cybersecurity of cloud services in accordance with FISMA , OMB Circular A-130 , and FedRAMP policy, and FedRAMP Authorization Act as part of the National Defense Authorization Act.
FISMA
Federal Information Security Modernization Act (FISMA) requires agencies to protect federal information.
OMB Circular A-130
Office of Management and Budget (OMB) states that when agencies implement FISMA, they must use National Institute of Standards and Technology (NIST) standards and guidelines.
FedRAMP Policy
FedRAMP leverages National Institute of Standards and Technology (NIST) standards and guidelines to provide standardized security requirements for cloud services; a conformity assessment program; standardized authorization packages and contract language; and a repository for authorization packages.
FedRAMP Authorization Act
FedRAMP Authorization Act establishes a Government-wide program that provides a standardized, reusable approach to security assessment and authorization for cloud computing products and services that process unclassified information used by agencies.