What is FedRAMP?

FedRAMP is a US government–wide program that standardizes security assessment, authorization, and continuous monitoring for cloud services.

What is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) is a US government–wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. It enables federal government agencies to streamline adoption of secure cloud technologies.

Federal agencies that plan to use cloud services must select FedRAMP Authorized services. And cloud service providers that want to offer their services to federal government agencies must demonstrate FedRAMP compliance.

Why is FedRAMP important?

By providing a standardized approach to assessing security for cloud services, FedRAMP helps ensure that cloud service providers meet stringent requirements for protecting federal data. Federal agencies can accelerate implementation of secure cloud services by choosing from cloud service offerings (CSOs) that have achieved FedRAMP authorization. Cloud service providers, meanwhile, are able to expand their customer base to federal agencies by achieving that authorization.

How do cloud service providers achieve FedRAMP authorization?

FedRAMP uses the National Institute of Standards and Technology (NIST) Special Publication 800-53 (NIST SP 800-53) to define security and privacy controls. A cloud service provider must implement appropriate controls for the authorization level that they are seeking, and then undergo an independent security assessment by a third-party assessment organization (3PAO).

That 3PAO produces a Security Assessment Report (SAR), which identifies any vulnerabilities and provides recommendations for remediation. Once the cloud service provider has remediated any issues, they can submit a completed security package to the FedRAMP repository.

The package is then reviewed by a federal agency, which decides whether to issue an Authorization to Operate (ATO) (sometimes called an “Authority to Operate”). Until 2024, packages could also be reviewed by the FedRAMP Joint Authorization Board (JAB). But in 2024, the JAB was dissolved. There will be no new JAB authorizations — today, the agency authorization process is the only path to authorization for cloud service providers.

When the cloud service provider receives an ATO from an agency, they are considered FedRAMP Authorized and listed on the FedRAMP Marketplace. The provider then implements continuous monitoring and undertakes regular reassessments to maintain compliance.

What is a 3PAO and why is one required?

A 3PAO (third-party assessment organization) independently validates that a cloud service provider’s security controls are in place and working properly. This 3PAO performs initial and periodic assessments, and produces a SAR, which gives federal agencies the information they need to make risk-based decisions about authorizing a cloud service provider’s offering for government use.

3PAOs are accredited by the American Association for Laboratory Accreditation (A2LA).

What is involved with continuous monitoring?

FedRAMP authorization is not a single, one-time event. To maintain authorization, cloud service providers must undertake continuous monitoring (sometimes called “ConMon”).

According to NIST, continuous monitoring of information security helps ensure “ongoing awareness of information security, vulnerabilities, and threats.” It helps keep cloud providers secure while giving agencies the insights they need to support key risk-management decisions.

Continuous monitoring involves regular assessments, reporting, and remediation of security controls. Every month, cloud service providers must submit vulnerability scans and plans of action and milestones. Every year, they must undergo security assessments by a 3PAO. Each agency that issues an ATO for cloud offerings reviews the cloud service provider’s continuous monitoring activities to make sure the agency should continue using those offerings.

What do the FedRAMP Marketplace status descriptions mean?

The FedRAMP Marketplace is a searchable, sortable online database that includes:

  • Cloud service providers that have achieved a FedRAMP designation

  • Federal agencies using FedRAMP Authorized cloud service providers

  • FedRAMP-recognized third-party assessors or auditors

The database provides a FedRAMP status for each cloud offering:

  • FedRAMP Ready: The provider has been assessed by a 3PAO, which has attested to the offering’s security in a report. A FedRAMP Ready service is likely to achieve FedRAMP authorization in the future.

  • FedRAMP In Process: The provider is actively pursuing FedRAMP authorization, working to meet the necessary security controls and documentation requirements.

  • FedRAMP Authorized: The provider has successfully achieved authorization for a specific offering, demonstrating that the provider’s offerings meet the security requirements at a specific impact level (Low, Moderate, or High).

What are the FedRAMP impact levels?

FedRAMP defines three “impact levels” for cloud offerings. Each level defines particular types of data and the potential impact of a breach of that data.

  • Low: This level is for systems handling non-sensitive, publicly available information or data. A breach would have limited impact on operations, assets, or individuals.

  • Moderate: This level is for systems handling sensitive but unclassified data. A breach could lead to serious adverse effects, such as financial loss, operational damage, or harm to individuals.

  • High: This is the most stringent level, reserved for systems processing the most sensitive unclassified data, such as those used by law enforcement, emergency services, and financial institutions. A breach could result in severe or catastrophic consequences for national security, public safety, or the availability of mission-critical government services.

A cloud service provider can hold authorizations for more than one impact level. For example, certain services from that provider might have FedRAMP Moderate authorization while others have FedRAMP High authorization.

FedRAMP vs. RMF

Both FedRAMP and the Risk Management Framework (RMF) provide guidelines and processes for managing cybersecurity risk, but they apply to different entities.

  • FedRAMP offers a process that cloud service providers follow to have their offerings approved for use by federal agencies. The purpose is to accelerate adoption of secure cloud solutions by agencies.

  • The RMF provides a process that federal agencies follow to have an IT system authorized for operation. The purpose is to help those organizations identify, assess, and mitigate security risks for their information systems.

FedRAMP vs. FISMA

The Federal Information Security Modernization Act (FISMA) is a US federal law that requires federal agencies to develop, document, and implement security programs that protect information and systems. It mandates a risk-based approach to security and assigns NIST the responsibility for providing standards and guidance for meeting requirements. FISMA applies to agencies, their contractors, and other organizations supporting agency operations.

FedRAMP is a program that provides a specific framework for assessing and authorizing the security of cloud services, ensuring those services meet FISMA security baselines. So, FISMA is the overarching regulation, and FedRAMP is a framework for demonstrating FISMA compliance.

FedRAMP vs. GovRAMP

GovRAMP (previously branded as StateRAMP) is a program that has standardized cybersecurity assessments of cloud service providers with offerings for US state, local, and tribal governments, as well as educational institutions. The program, which is voluntary, is managed by a private, nonprofit organization.

FedRAMP, by contrast, is designed to authorize services for federal government agencies. It is managed by the General Services Administration (GSA), which is a federal agency.

Both programs:

  • Follow security controls defined by NIST SP 800-53

  • Require third-party assessment organization (3PAO) audits and continuous monitoring

  • Use Low, Moderate, and High impact levels, aligning with NIST controls

  • Benefit government organizations (by streamlining the adoption of cloud services) and cloud service providers (by offering customers a high degree of confidence in the security of their services)

A cloud service provider can hold both FedRAMP and GovRAMP authorizations.

What is FedRAMP 20x?

FedRAMP 20x is an initiative that aims to streamline and enhance the compliance process by building a new, cloud-native approach to FedRAMP authorization. The initiative describes five key goals for a new assessment process, which will be designed by FedRAMP in collaboration with industry stakeholders and agency experts.

  • Make it simple to automate the application and validation of FedRAMP security requirements.

  • Leverage existing industry investments in security by inheriting best-in-class commercial security frameworks.

    • Continuously monitor security decisions using a simple, hands-off approach.

  • Build trust between industry and federal agencies by leaning into the direct business relationships between providers and customers.

    • Enable rapid, continuous innovation without artificial checkpoints that halt progress.

Cloud service providers can continue to work toward agency authorization for their services using the FedRAMP baselines until those baselines are replaced.

What types of cloud services can be FedRAMP Authorized?

A wide range of infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS) offerings can achieve FedRAMP authorization. For example, a cloud service provider could achieve authorization for application development, cybersecurity, networking, analytics, privacy / compliance, and other services.

How does an agency leverage FedRAMP Authorized services?

A federal agency searches the FedRAMP Marketplace for the offerings that meet their mission’s needs and security requirements. The Marketplace database enables users to filter results by business category, impact level, and deployment model.

If an offering has been authorized by another agency, the agency searching for an offering can request access to that offering’s security assessment package. The package can then guide the agency’s own ATO decision.

Earning customer trust at Cloudflare

Cloudflare has a broad set of policies, technologies, and certifications that help earn customer trust, including FedRAMP authorization. Visit the Cloudflare Trust Hub to learn more.

FAQs

What is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) is a US government program that standardizes the security assessment, authorization, and continuous monitoring for cloud products and services. Its goal is to help federal government agencies adopt secure cloud technologies more easily.

Why is FedRAMP authorization important for cloud services?

FedRAMP ensures that cloud service providers meet strict requirements for protecting federal data by standardizing security assessments. This allows federal agencies to quickly implement secure cloud services, while providers can expand their customer base to include federal agencies.

What are the key steps for a cloud service provider to achieve FedRAMP authorization?

Cloud service providers must implement the security and privacy controls defined by the National Institute of Standards and Technology (NIST) Special Publication 800-53. They then undergo an independent security assessment by a third-party assessment organization (3PAO), which produces a Security Assessment Report (SAR). After remediating any issues, they submit a security package for review by a federal agency, which decides whether to issue an Authorization to Operate (ATO).

What is a 3PAO and what is their role in the authorization process?

A 3PAO is a third-party assessment organization that is accredited by the American Association for Laboratory Accreditation (A2LA). Their role is to independently validate that a cloud service provider's security controls are correctly in place and functioning. The 3PAO performs initial and periodic assessments and creates the SAR for federal agencies to use in their risk-based decisions.

What is "continuous monitoring" (ConMon)?

Continuous monitoring (or ConMon) is the ongoing activity required to maintain FedRAMP authorization. It involves the regular assessment, reporting, and remediation of security controls. Cloud service providers must submit monthly vulnerability scans and plans of action, and undergo yearly security assessments by a 3PAO to ensure ongoing security awareness.

How does FedRAMP differ from FISMA and RMF?

FedRAMP is a specific program that provides a framework for assessing and authorizing the security of cloud services, which ensures those services meet the security baselines required by the Federal Information Security Modernization Act (FISMA). FISMA is the overarching federal law that mandates security programs for federal agencies. The Risk Management Framework (RMF) provides the process that federal agencies follow to authorize their own IT systems for operation, helping them manage security risks. FedRAMP is a process that cloud service providers follow to get their offerings approved for use by federal agencies.

What are the three FedRAMP impact levels?

FedRAMP defines three impact levels for cloud offerings, based on the sensitivity of the data and the potential impact of a breach: Low: For non-sensitive, publicly available information where a breach would have limited impact. Moderate: For sensitive but unclassified data where a breach could lead to serious adverse effects, like financial loss. High: The most stringent level, for the most sensitive unclassified data (e.g., used by law enforcement) where a breach could cause severe or catastrophic consequences.

What is the purpose of the FedRAMP Marketplace?

The FedRAMP Marketplace is a searchable online database that lists: Cloud service providers that have achieved a FedRAMP designation. Federal agencies currently using FedRAMP Authorized cloud service providers. FedRAMP-recognized third-party assessors or auditors (3PAOs).

What is the goal of the FedRAMP 20x initiative?

FedRAMP 20x is an initiative focused on streamlining and enhancing the compliance process by building a new, cloud-native approach to FedRAMP authorization. Its goals include simplifying automation of security requirements, leveraging existing industry security investments, and enabling rapid, continuous innovation.

What are the different types of cloud services that can be FedRAMP Authorized?

A variety of cloud services can achieve FedRAMP authorization, including infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS) offerings. Examples of areas that can be authorized include application development, cybersecurity, networking, and analytics.