Skip to content

FedRAMP's Responsibilities

FedRAMP has considerable responsibility throughout the FedRAMP process, outlined in both the FedRAMP Authorization Act and OMB Memorandum M-24-15. Broadly, for cloud services within the scope of FedRAMP, it is responsible for establishing a government-wide approach to the initial and ongoing assessment of cloud services and their use by agencies in federal information systems. This includes:

  1. Establishing the rules that cloud service providers, independent assessors, and agencies will follow to obtain, maintain, and/or use a FedRAMP Certification.
  2. Providing instructions to agencies on the use of FedRAMP Certification materials and their integration into agency information systems.
  3. Ensuring secure mechanisms are in place for sharing initial and ongoing FedRAMP Certification information and related materials between cloud service providers and agencies.
  4. Granting FedRAMP Certifications and maintaining a public record of these Certifications and their progress.
  5. Providing a minimum level of continuous monitoring and requesting corrective action as necessary to ensure cloud service providers meet their ongoing certification obligations.
  6. Recognizing independent assessment companies that follow FedRAMP rules and relying on such independent assessors to analyze, validate, and attest to the quality and compliance of security assessment materials provided by cloud services.
  7. Engaging with companies and the public to gather feedback on proposed changes to guidance and requirements.
  8. Owning government-wide outreach and information gathering from cloud services.

Limitations on FedRAMP's Responsibilities

FedRAMP does not determine if a cloud service provider is “secure enough” for government use and does not issue government-wide authorizations to operate.

The primary purpose of a FedRAMP Certification is to supply sufficient information, following FedRAMP rules, so that agencies can effectively and consistently apply this information to make decisions as they manage federal information systems following all relevant federal requirements.

Notably, FedRAMP does not enter into any legal agreements or contracts with cloud service providers, and has no legal enforcement authority or responsibility. FedRAMP can request corrective action by a cloud service provider or independent assessor and companies may choose to take action in such cases, but FedRAMP cannot force them to do so. In cases where a company chooses not to take effective correction action, their FedRAMP Certification may be revoked by FedRAMP for some time but no other punitive action is available.

In short, FedRAMP grants or revokes FedRAMP Certification while companies choose whether or not to maintain their FedRAMP Certification by following FedRAMP rules.

Learn more about FedRAMP

Comments