Guidance on FedRAMP's Applicability to State and Local Entities
In December 2011, the federal government established FedRAMP to provide a cost-effective and risk-based approach to cloud adoption for executive departments and agencies. This included the development of a risk management framework based on FISMA requirements and NIST 800-53 by which cloud service offerings can be assessed and authorized by federal agencies. Given that FedRAMP is a rigorous cloud security program, there is increased interest from state and local governments in leveraging or requiring FedRAMP for their own cloud-based information systems. We are excited to see other government entities embracing secure cloud technologies.
FedRAMP is specific to cloud technologies that store, process, or transmit federal information. Cloud Service Providers (CSPs) must partner with a federal agency to assess and authorize a cloud service offering for FedRAMP Authorization. Due to FedRAMP’s specificity to federal information, non-federal government organizations (e.g., state, local, tribal, territorial, etc.) are not able to partner with CSPs for FedRAMP Authorization.
Where information systems at the state and local levels are processing federal information, the federal agency responsible for that information is charged with determining if FedRAMP Authorization is required.
Non-federal government organizations should understand the information types within their cloud systems and engage their partners at the federal level to evaluate whether FedRAMP is applicable. Federal agencies should understand where their information flows to state and local government information systems and account for those systems when assessing their cloud environments.
Some cloud service deployments are available for non-federal government use, specifically Public Cloud and some Government-Only Community Clouds.
- Public Cloud: Multi-tenant cloud environment available for government and non-goverment customers.
- Government-Only Community Cloud: Multi-tenant cloud environment specific to government data and can include federal, state, local, tribal, territorial, etc. information types. Depending on the CSP, Government Community Clouds may be restricted to federal systems.
Non-federal government organizations can review the FedRAMP Marketplace for cloud service offerings that have achieved FedRAMP Authorization for public and government community cloud offerings and work with CSPs to understand how those systems can be leveraged for state and local use. Additionally, CSPs can directly provide non-federal entities copies of their FedRAMP Authorization package for review.