Understand the Federal Risk and Authorization Management Program (FedRAMP)
With a clear understanding of the roles each organization would play, and a basis for connecting government networks to cloud service providers, from 2009 to 2011, the Office of Management and Budget collaborated with NIST, the GSA, the DOD, DHS, the CIO Council, as well as state and local governments, the private sector, and Non-Governmental Organizations (NGOs) to create FedRAMP.
FedRAMP puts FISMA into practice.
FedRAMP is the Federal Risk and Authorization Management Program, and is one of the most significant efforts created and still in place that drives government cloud strategy.
On December 8, 2011, the OMB released a memorandum for Chief Information Officers titled “Security Authorization for Information Systems in Cloud Computing” that establishes FedRAMP. The memorandum seeks to “provide a cost-effective, risk-based approach for the adoption and use of cloud services to Executive departments and agencies.”
The General Services Administration, in June 2012, then followed up by creating a FedRAMP Project Management Office, or PMO, with the goal of promoting the adoption of secure cloud services across the Federal Government through a standardized approach to security and risk management.
FedRAMP is so important because the OMB memorandum requires any cloud services that hold any federal data have to be FedRAMP authorized.
Governing of FedRAMP and by FedRAMP
FedRAMP is governed by several different Executive Branch entities that collaborate together to develop, manage, operate and update the program. One of these entities is the JAB, or Joint Authorization Board, who has the primary governance and decision-making capabilities, and includes the CIOs from DHS, GSA, and the DOD.
NIST also plays a large role by advising on compliance requirements and developing standards for third party assessors, or 3PAOs.
DHS is tasked with managing the continuous monitoring strategy of data feed criteria, reporting structure, threat notification coordination, and incident response.
The FedRAMP PMO, within the GSA, is responsible for the development of the FedRAMP program and day-to-day operations.
Technology approved by FedRAMP
FedRAMP includes a FedRAMP marketplace, which is a searchable database of cloud service offerings that have already achieved FedRAMP designation. The marketplace is maintained by the FedRAMP PMO, and updated as new offerings are formally approved.
Security baselines leveraged by FedRAMP
FedRAMP’s security baselines are derived from NIST Special Publication 800-53 "Security and Privacy Controls for Information Systems and Organizations" with enhanced controls that are directed specifically at the unique security requirements of cloud computing.
Compliance by managing risk
FedRAMP manages risk (and therefore compliance) based upon NIST's Special Publication 800-37 "Risk Management Framework for Information Systems and Organizations". This publications provides guidelines from applying a Risk Management Framework (RMF) to not just information systems but also organizations. The publication "provides a disciplined, structured, and flexible process for managing security and privacy risk that includes information security categorization, control selection, implementation, and assessment, system and common control authorizations, and continuous monitoring."