FedRAMP compliance program overview
Accelerating your path to the US Federal Risk and Authorization Management Program (FedRAMP) compliance in Azure is a focused effort that provides learning resources and implementation tools. The goal is education and support during the scoping and implementation of your project. Moreover, Microsoft works with key assessment and automation partners to share reference architectures and solutions that can help you meet your compliance needs.
As a partner who provides a service in this field, you can publish your offering in the marketplace that expands the reach of your service.
US Government agencies and many other organizations rely on commercial software companies to achieve their missions. FedRAMP was established to provide a standardized approach for assessing, monitoring, and authorizing cloud computing products and services. This approach uses a “do once, use many times” framework that saves cost, time, and resources required to conduct individual agency security assessments. FedRAMP is based on the National Institute of Standards and Technology (NIST) SP 800-53 standard, augmented by FedRAMP controls and control enhancements.
There are two types of FedRAMP authorizations for cloud services:
- A Provisional Authority to Operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB)
- An agency Authority to Operate (ATO)
A FedRAMP P-ATO is an initial approval of the cloud service provider (CSP) authorization package by the JAB. An agency can rely on P-ATO to grant an ATO for the acquisition and use of the cloud service within their agency. The JAB consists of the Chief Information Officers (CIOs) from the US Department of Defense (DoD), Department of Homeland Security (DHS), and General Services Administration (GSA), supported by designated technical representatives (TRs) from their respective member organizations. A P-ATO means that the JAB has reviewed the cloud service’s authorization package and provided a provisional approval for federal agencies to use when granting an ATO for a cloud services offering.
Agency ATO process
As part of the agency authorization process, a CSP works directly with the agency sponsor who reviews the cloud service’s security package. After completing a security assessment, the head of an agency (or their designee) can grant an ATO.
Consequently, an ISV can choose to go for a JAB authorization, which grants a generalized authorization to its solution and can be used with multiple agencies. This process tends to be longer. They can also choose to go for an agency ATO, which is specific to the Government customer they're serving. This customer acts as the sponsor and may even have “reciprocity” with other agencies, which allows for a faster, smoother adoption of the company’s solution with a different customer.
Microsoft is able to scale through its partners. Scale is what allows us to create a more predictable, cost-effective, and speedy delivery. These concerns are also common with pursuing an ATO. We're focused on enabling two main kinds of partnerships:
- Advisory: enables partners to create offerings based on Azure that guide a customer through individual steps or the entire ATO process. These partners offer consulting services bundled with some automated solutions that add value to Azure Marketplace compliance offerings. They can usually be contracted directly, by reference, or via Microsoft Azure Marketplace.
- Automation: there are two types of automation partners we focus on:
- Foundational partners, which enable integration of third party solutions with Azure and help you achieve / meet controls from your FedRAMP package. These partners are part of our recommended reference architectures.
- True automation partners that help automate certain aspects of the ATO journey such as the FedRAMP System Security Plan (SSP) generation, self-healing, alerts, and monitoring.
Partners are asked to publish their solutions to Azure Marketplace. See the following steps for guidance.
Publishing to Azure Marketplace
- Join the Partner Network – It’s a requirement for publishing but easy to sign up. For instructions, see Create a Partner Center account and enroll in the commercial marketplace.
- Enable your partner center account as Publisher / Developer for Marketplace by following the instructions in Create a commercial marketplace account in Partner Center.
- With an enabled Partner Center Account, publish your listing as a SaaS application as explained in Create a SaaS offer.
For a list of existing Azure Marketplace offerings in this space, visit Azure Marketplace.
The information provided here will allow you to sign up and learn about the FedRAMP compliance program. The program is designed to help Azure and Azure Government customers successfully prepare their environments for authorization and request a FedRAMP ATO. This information does not constitute an offer of any kind, and submitting the following forms in no way guarantees participation in the program. Currently, the program details shared with partners and customers are notional and subject to change without notice.
- FedRAMP training resources.
- FedRAMP documents and templates to help you with program requirements.
- Get familiar with the FedRAMP Marketplace.
- Learn more about Azure Government compliance.
Review the Publishing guide by offer type for further tips and troubleshooting. If you're still facing issues, open a ticket in Partner Center.