FedRAMP

Policy Overview

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program, as of December 2018, that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP created and manages a core set of processes to ensure effective, repeatable cloud security for the government. It also established a mature marketplace to increase utilization and familiarity with cloud services while facilitating collaboration across government through open exchanges of lessons learned, use cases, and tactical solutions.

Draft Guidance for Public Comment

On October 27, OMB released draft updated guidance for public comment through November 27th.

The draft guidance defines the scope of cloud products subject to FedRAMP, sets agency requirements for granting authorization and reuse, and promotes a transparent and consistent process for performing security assessment and authorizations of cloud services by Federal agencies. Key areas of the draft guidance include how the FedRAMP Program will:

1. Be an information security program grounded in technical expertise and risk management.
2. Offer multiple cloud authorization structures that incentivize agency partnership and reuse.
3. Streamline manual authorization processes through increased automation.
4. Leverage shared infrastructure between the Federal Government and private sector.

Read the Draft Guidance

Why This Matters to the CIO Council

By adopting innovative cloud services to meet their critical mission needs, agencies have the opportunity to save both time and money. FedRAMP enables agencies to rapidly adapt from old, insecure legacy IT to mission-enabling, secure, and cost effective cloud-based IT.