Home

FedRAMP

FedRAMP, the federal risk and authorization management program, is a U.S. government-wide initiative that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud services. It aims to enable reuse of security assessments across federal agencies, reduce duplicative work, and accelerate the procurement of cloud products.

FedRAMP uses a baseline framework aligned with NIST SP 800-53 security controls. There are three baselines—Low,

Authorization follows a formal workflow. Cloud service providers prepare a security package and engage a 3PAO

FedRAMP maintains the FedRAMP Marketplace, a public catalog of cloud services with current authorization status. The

Moderate,
and
High—reflecting
different
levels
of
impact
to
confidentiality,
integrity,
and
availability.
Most
federal
cloud
deployments
rely
on
the
Moderate
baseline,
while
High
applies
to
high-impact
systems
handling
sensitive
information.
Security
requirements
are
documented
in
a
System
Security
Plan
and
assessed
by
accredited
Third-Party
Assessment
Organizations
(3PAOs).
to
conduct
an
independent
assessment.
For
federal-wide
authorization,
the
Joint
Authorization
Board
(JAB),
consisting
of
designated
officials
from
the
General
Services
Administration,
Department
of
Defense,
and
Department
of
Homeland
Security,
reviews
the
package
and
issues
a
Provisional
Authorization
to
Operate
(P-ATO).
Agencies
may
issue
their
own
Agency
ATO
based
on
the
FedRAMP
package.
After
authorization,
the
cloud
service
enters
continuous
monitoring,
with
ongoing
security
reporting
and
periodic
reassessments.
program
is
managed
by
the
FedRAMP
Program
Management
Office
at
GSA,
with
input
from
partner
agencies
and
industry.
While
designed
to
standardize
security
and
reuse
assessments,
the
process
can
be
time-consuming,
and
ongoing
monitoring
requires
sustained
governance.