CIO Council - Chief Information Officers Council - Beta

FedRAMP

The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework that saves an estimated 30-40% of government costs, as well as both time and staff required to conduct redundant agency security assessments. FedRAMP is the result of close collaboration with cybersecurity and cloud experts from the General Services Administration (GSA), National Institute of Standards and Technology (NIST), Department of Homeland Security (DHS), Department of Defense (DOD), National Security Agency (NSA), Office of Management and Budget (OMB), the Federal Chief Information Officer (CIO) Council and its working groups, as well as private industry.

The FedRAMP program is designed to comply with the Federal Information  Security Management Act of 2002 (FISMA). It aims to accelerate the adoption of secure cloud solutions through reuse of assessments and authorizations, increase confidence in security assessments and security of cloud solutions, achieve consistent security authorizations using a baseline set of agreed upon standards used for cloud product approval, ensure consistent application of existing security practice, and increase automation and near real-time data for continuous monitoring.

FedRAMP is the result of a close collaboration with cybersecurity and cloud experts from GSA, NIST, DHS, DOD, NSA, OMB, the Federal CIO Council and its working groups, as well as private industry.

Below are the FedRAMP duties and responsibilities for the CIO Council.

  • Publish and disseminate information from the FedRAMP PMO and JAB to Executive departments and agencies
  • Publish the standardized baseline of security controls, privacy controls, and controls selected for continuous monitoring from NIST Special Publication 800-53 (as amended) included within the FedRAMP security authorization requirements
  • Coordinate vetting of controls and requirements from the JAB
  • Publish all FedRAMP documents from the JAB or PMO

Resources

Guide to Understanding FedRAMP (June 6, 2014)
FedRAMP Joint Authorization Charter
FedRAMP Security Controls

For questions regarding FedRAMP, please direct inquiries to questions@FedRAMP.gov.