Agency Use of FedRAMP Certified Cloud Services¶

Agencies MUST maintain agency-wide policy that aligns with the requirements in OMB Memorandum M-24-15.

Agencies MUST notify FedRAMP upon authorizing the use of a cloud service within the scope of FedRAMP, supplying at least the following information:

1. A copy of the agency's Authorization to Operate letter for the information system leveraging the cloud service, following agency policy and templates.
2. All other supplemental information requested in the Submit an ATO Letter form by FedRAMP.

Agencies MUST ensure that internal governance, risk, compliance, and inventory tools can produce and ingest machine-readable artifacts using formats identified by FedRAMP, including at least:

1. Open Security Controls Assessment Language (OSCAL)
2. JSON

Terms: Artifacts, Machine-Readable

Agencies MUST notify FedRAMP after requesting any additional information or materials from a FedRAMP Certified cloud service offering beyond those required by FedRAMP.

Note: Agencies are expected to notify FedRAMP under OMB Memorandum M-24-15 section IV (a).

Terms: Cloud Service Offering, FedRAMP Certified

Agencies MUST NOT require additional information or materials from FedRAMP Certified cloud service offerings beyond those required by FedRAMP UNLESS the head of the agency or an authorized delegate determines there is a demonstrable need and notifies FedRAMP; this does not apply to seeking clarification or asking general questions about FedRAMP Certification Data.

Note: This is related to the Presumption of Adequacy for a FedRAMP Certification and notification is mandated by OMB Memorandum M-24-15 section IV (a).

Terms: Certification Data, Cloud Service Offering, FedRAMP Certified

Agencies MUST NOT require cloud service offerings to obtain or maintain a specific FedRAMP Certification Type or FedRAMP Certification Path, UNLESS the head of the agency or an authorized delegate determines there is a demonstrable need and notifies FedRAMP.

Note: This is related to the Presumption of Adequacy for a FedRAMP Certification and notification is mandated by OMB Memorandum M-24-15 section IV (a).

Terms: Certification Path, Certification Type, Cloud Service Offering, FedRAMP Certified

Agencies SHOULD participate in FedRAMP working groups, communities of practice, and stakeholder engagements to supply feedback and align practices across government.

Agencies SHOULD assign at least 1 federal employee to be an active participant in the FedRAMP Agency Liaison program.

Reference: Agency Liaison Program

Agencies SHOULD establish and maintain a dedicated shared FedRAMP agency inbox to serve as the official point of contact for communications between FedRAMP and the agency.

Note: A shared FedRAMP agency inbox may follow an agency-specific format such as agency-fedramp@agency.gov.

Agencies MUST complete the Authorization to Operate process for federal information systems that use FedRAMP Certified cloud service offerings.

Note: FedRAMP provides technical assistance to help agencies navigate this process.

Reference: Using a FedRAMP Certified Cloud Service Offering

Terms: Cloud Service Offering, FedRAMP Certified

Agencies MUST collaborate with FedRAMP when discrepancies or conflicts arise between agency-specific security determinations and the FedRAMP Certification Package.

Terms: Certification Package

Agencies MUST review the Secure Configuration Guides supplied by Providers and configure relevant security settings.

Agencies MUST allow FedRAMP Certified cloud service offerings to follow FedRAMP rules.

Terms: Cloud Service Offering, FedRAMP Certified

Agencies MUST notify FedRAMP if information presented in an Ongoing Certification Report, Quarterly Review, or other FedRAMP Certification Data causes significant concerns for the authorizing official that would likely result in rescission of their Authorization to Operate.

Note: Agencies are expected to notify FedRAMP under OMB Memorandum M-24-15 section IV (a).

Terms: Certification Data, FedRAMP Certification Report, Likely, Ongoing Certification, Ongoing Certification Report (OCR), Quarterly Review

Agencies SHOULD review each Ongoing Certification Report to understand how changes to the cloud service offering may impact the risk tolerance documented in the agency Authorization to Operate for the federal information system that includes the cloud service offering in its boundary.

Note: This agency review supports agency responsibilities under 44 USC § 35, OMB Circular A-130, FIPS-200, and OMB Memorandum M-24-15.

Terms: Cloud Service Offering, FedRAMP Certification Report, Ongoing Certification, Ongoing Certification Report (OCR)

Agencies SHOULD designate a federal senior information security official to review Ongoing Certification Reports and represent the agency at Quarterly Reviews for cloud service offerings included in agency information systems.

Terms: Cloud Service Offering, Ongoing Certification, Quarterly Review

Agencies SHOULD formally notify the cloud service provider if information presented in an Ongoing Certification Report, Quarterly Review, or other FedRAMP Certification Data causes significant concerns for the authorizing official that would likely result in rescission of their Authorization to Operate.

Terms: Certification Data, FedRAMP Certification Report, Likely, Ongoing Certification, Ongoing Certification Report (OCR), Quarterly Review

Agencies SHOULD consider third-party information resources used by the cloud service offering during initial and ongoing authorization activities.

Terms: Cloud Service Offering, Information Resource, Third-Party Information Resource

Agencies SHOULD NOT authorize the use of a FedRAMP Class A Certified cloud service offering for more than 12 months UNLESS the cloud service offering is actively seeking a FedRAMP Class B, C, or D Certification.

Terms: Cloud Service Offering, FedRAMP Certified

Agencies MUST follow the most recent FedRAMP Consolidated Rules when initiating agency-sponsored FedRAMP Certification.