The FedRAMP Program Management Office (PMO) used to publish monthly Tips and Cues that provided helpful information about FedRAMP to Agencies, CSPs, 3PAOs, and other stakeholders. Tips and Cues have been integrated into FAQs. Please reach out to firstname.lastname@example.org with any questions.
How Can We Help You?
Search the FAQs by keyword or browse the topics below.
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that promotes the adoption of secure cloud services across the federal government by providing a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP empowers agencies to use modern cloud technologies, with emphasis on security and protection of federal information.
FedRAMP eliminates duplicative efforts by providing a common security framework. Agencies review their security requirements against a standardized baseline. A Cloud Service Provider (CSP) goes through the authorization process once, and after achieving an authorization for their Cloud Service Offering (CSO), the security package can be reused by any federal agency.
FedRAMP enables the federal government to accelerate the adoption of cloud computing by creating transparent standards and processes for security authorizations and allowing agencies to leverage security authorizations on a government-wide scale.
Yes, FedRAMP is mandatory for all Executive Agency cloud deployments and service models at the low, moderate, and high risk impact levels. Please refer to the FedRAMP Policy memo for further information pertaining to FedRAMP’s applicability.
All official FedRAMP documentation is maintained on fedramp.gov. Opportunities for large-scale public comment periods will be messaged via a number of channels and methods, including the fedramp.gov website, Focus on FedRAMP blog, or by subscribing to FedRAMP email updates.
TIC modernization aligned with OMB M-19-26 provides flexibility for TIC capabilities and architectures supporting cloud implementations. Generally, TIC controls are aligned with NIST SP 800-53 and should be aligned and evaluated to support the appropriate FedRAMP security control baselines. Determining the applicable and appropriate controls is a responsibility of both CSPs and agencies to establish a solution architecture that supports TIC policy enforcement points and other protections described in the TIC 3.0 Reference Architecture and TIC 3.0 Security Capabilities Catalog.
FedRAMP is FISMA for the cloud. Per FISMA, NIST is responsible for establishing “policies which shall set the framework for information technology standards for the Federal Government.” Based on this law, NIST developed the Risk Management Framework .
Both FedRAMP and FISMA use the NIST SP 800-53 security controls. The FedRAMP security controls are based on NIST SP 800-53 baselines and contain controls, parameters and guidance above the NIST baseline that address the unique elements of cloud computing.
There is a shared security responsibility model when using cloud products. Cloud Service Providers (CSPs) and Agencies (customers) both assume important security roles and responsibilities to ensure data is protected within cloud environments. CSPs are required to submit a Control Implementation Summary (CIS) workbook as an attachment to the System Secruity Plan (SSP). The CIS workbook identifies security controls that the CSP is responsible for implementing, security controls that the agency (customer) is responsible for implementing, security controls where there is a shared CSP/agency responsibility, and security controls that are inherited from an underlying FedRAMP Authorized Infrastructure-as-a-Service (IaaS)/Platform-as-a-Service (PaaS). The CIS workbook also includes a Customer Responsibility Matrix (CRM) worksheet tab. CSPs must use the CRM to describe the specific elements of each control where the responsibility lies with the customer. Further details are also provided within the CSP’s SSP.
FedRAMP provides two CIS Workbook templates: one for Low and Moderate systems and one for High systems. Both are available on FedRAMP.gov’s Documents & Templates page.
The FedRAMP approver that can sign a Package Access Request Form [PDF - 278KB] is either the agency’s Chief Information Security Officer (CISO), Authorizing Official (AO), Authorizing Official Designated Representative (AODR) or Designated Approving Authority (DAA). If the form is signed by a DAA, that person must be at a level that has the authority to grant an Authority to Operate (ATO) for an information system.
If a Cloud Service Offering (CSO) is listed as FedRAMP Authorized on the FedRAMP Marketplace, it has successfully completed the FedRAMP Authorization process with the JAB or a federal agency. The FedRAMP Authorized designation indicates FedRAMP requirements are being met and a CSO’s security package is available for agency reuse. This means that any agency can request access to the security package for a FedRAMP Authorized CSO, review the security package, and issue their own Authority to Operate (ATO) for the product.
When reusing FedRAMP security packages, agencies should complete and sign the FedRAMP Package Access Request Form [PDF - 278KB] and if the requestor is not a federal employee they must also complete the associated Non-Disclosure Agreement for the FedRAMP Authorized CSO, conduct a package review and risk analysis, understand and implement customer responsibilities, issue an ATO and send ATO letters to email@example.com, and perform continuous monitoring responsibilities. More guidance can be found in the Reusing Authorizations for Cloud Products Quick Guide [PDF - 72KB].
NIST SP 800-37 describes the ATO and ATU as very similar in that they are the mechanisms for documenting and accepting risk of the Information Systems, and approving the use of the system by the agency. ATUs are typically used for shared systems, but still documents accepting risk and approving use, based on an external security assessment. FedRAMP accepts both ATOs and ATUs. However, in order for FedRAMP to accept ATUs, there must be at least one ATO on file for a CSO.
As a registered OMB MAX user, you have the ability to “watch” a page. To watch a page, click the icon labeled “watchers” in the upper-right corner of the screen. When a page is being watched, you will be notified via email of changes made to that page. This can be particularly helpful for Cloud Service Providers (CSPs), agencies, or Third Party Assessment Organizations (3PAOs) as they anticipate the uploading of key documents, like a System Security Plan (SSP) or Security Assessment Report (SAR). To stop watching a page, simply click again on the icon in the upper-right corner of the screen.
Simply email firstname.lastname@example.org to request access extensions. Agencies can work directly with Cloud Service Providers to obtain a copy of the package and request permissions to save, print, email, post, publish, or reproduce. If your agency has already issued an Authority to Operate (ATO) you can submit the ATO to email@example.com and receive permanent access to the package as long as an ATO is on file with the FedRAMP Program Management Office (PMO).
Cloud Service Providers
There are three listings available on the FedRAMP Marketplace: FedRAMP Ready, In Process, or Authorized.
- FedRAMP Ready indicates that a Third Party Assessment Organization (3PAO) attests to a Cloud Service Provider (CSP’s) readiness for the authorization process, and that a Readiness Assessment Report (RAR) has been reviewed and approved by the FedRAMP Program Management Office (PMO). The RAR documents the CSP’s capability to meet FedRAMP security requirements.
- In Process is a designation provided to CSPs that are actively working toward a FedRAMP Authorization with either the Joint Authorization Board (JAB) or a federal agency.
- The Authorized designation is provided to CSPs that have successfully completed the FedRAMP Authorization process with the JAB or a federal agency. This designation indicates the CSP’s security package is available for agency review and reuse. Private cloud offerings are not listed on the FedRAMP Marketplace as they do not meet the intent of “do once, use many times” and the security packages are not reusable.
More detail about these designations and how to be listed on the Marketplace can be found in the FedRAMP Marketplace: Designations for Cloud Service Providers [PDF - 652KB] guidance document.
As a first step, please complete the FedRAMP Program Management Office’s (PMO’s) CSP Information Form to notify our team of your intent to pursue FedRAMP Authorization with a federal agency and to initiate scheduling of an intake call with the PMO. During this call, the PMO will walk you through the Agency Authorization process. Additionally, please review the Get Authorized: Agency page and the FedRAMP Agency Authorization Playbook [PDF - 1.24MB]. This document provides an overview of every aspect of the Agency Authorization process, including roles and responsibilities for the CSP and agency at each step. If you have any questions after reviewing guidance materials, please forward them to firstname.lastname@example.org.
FedRAMP recognized 3PAOs and FedRAMP Authorized CSPs may use the FedRAMP logo. Use of the FedRAMP logo, in conjunction with qualified products, services, or organizations, does not require approval. The FedRAMP Program Management Office (PMO) must approve any major educational or promotional campaigns that feature the FedRAMP logo prior to use. The submitted materials will be reviewed for consistency with these guidelines within two weeks of receipt of the materials. Materials should be submitted to email@example.com with the following in the subject line: “FedRAMP Branding Review.”
Please review the FedRAMP Branding Guidance [PDF - 932KB] for more answers to your FedRAMP logo questions.
Third Party Assessors
Third Party Assessment Organizations (3PAOs) play a critical role in the authorization process by assessing the security of a Cloud Service Offering. As independent third parties, they perform initial and periodic assessments of cloud systems to ensure they meet FedRAMP requirements. The federal government uses 3PAO assessments as the basis for making informed, risk-based authorization decisions for the use of cloud products and services. 3PAOs are accredited by the American Association for Laboratory Accreditation (A2LA). A list of FedRAMP recognized 3PAOs can be found on the FedRAMP Marketplace under the “Assessors” tab.
In addition to the critical role that 3PAOs play in assessing cloud services, some Cloud Service Providers (CSPs) use 3PAOs as consultants to help prepare security documentation or provide security advisory services. When CSPs use 3PAO advisors, they must select a different 3PAO to conduct an assessment of their cloud service to ensure that the assessor maintains impartiality.
In order to become a FedRAMP recognized 3PAO, A2LA must perform an initial assessment of the 3PAO and provide an initial assessment recommendation to FedRAMP for approval. For a 3PAO to maintain its FedRAMP recognition, A2LA must perform a favorable annual review and a full on-site reassessment every two years. A2LA assessments ensure 3PAOs meet the requirements of ISO/IEC 17020 (as revised) and FedRAMP-specific knowledge requirements. More information on becoming an accredited 3PAO may be found on the A2LA website .
For the JAB Authorization process, the assessment organization must be a FedRAMP recognized 3PAO. For the Agency Authorization process, a 3PAO is recommended, but not required. A CSP’s agency partner may choose to use their own Independent Verification and Validation (IV&V) organization to assess the system. If an agency chooses to use their own IV&V team, they must submit an attestation regarding the team’s independence, and the IV&V team must use FedRAMP templates for the assessment and follow all FedRAMP requirements.
For the JAB Authorization process, CSPs must use a FedRAMP recognized 3PAO for annual assessments of its cloud system and to evaluate the impact of some changes a CSP makes to its cloud system. For the Agency Authorization process, a 3PAO is recommended, but not required. Additionally, some CSPs may acquire 3PAO services for monthly continuous monitoring.
Cloud Service Offerings (CSOs) can obtain an ATO or P-ATO one of two ways:
Provisional Authority to Operate (P-ATO) through the Joint Authorization Board (JAB): A JAB P-ATO is an initial approval of the Cloud Service Provider (CSP) authorization package by the JAB that any federal agency can leverage to grant an ATO for the use of the cloud service within their agency. The JAB consists of the Chief Information Officers (CIOs) from the Department of Defense (DoD), the Department of Homeland Security (DHS), and the General Services Administration (GSA), supported by designated technical representatives (TRs) from their respective member organizations. The JAB P-ATO is called a provisional ATO because there is no risk accepted by JAB CIOs. The JAB P-ATO signifies all three JAB Agencies reviewed the security package and deemed it acceptable for the federal community. In turn, Agencies review the JAB P-ATO and the associated security package and clear it for their Agencies’ use. In doing so, the agency issues their own authorization to use the product. Additionally, the JAB will conduct continuous monitoring for systems that have earned a P-ATO.
Agency Authority to Operate (ATO): As part of the Agency Authorization process, a CSP works directly with the agency partner who reviews the cloud service’s security package. After completing a security assessment, the agency Authorizing Official (or their designee) can issue an ATO.
No, using a FedRAMP Authorized infrastructure does not automatically make your service FedRAMP compliant. Each layer (i.e., IaaS, PaaS, and SaaS) must be evaluated on its own and be FedRAMP Authorized. However, when your software sits on a FedRAMP Authorized infrastructure, it will inherit controls from that authorized system and you can explain this in your documentation.
Yes, a FedRAMP accredited 3PAO must perform an announced penetration test as part of the assessment/testing process for Moderate and High systems. For more information, please refer to the FedRAMP Penetration Test Guidance [PDF - 984KB].
Continuous Monitoring ensures a service offering maintains an appropriate security posture for the life of the system at an agency. Cloud Service Providers (CSPs) maintain and validate the security posture of their service offering through vulnerability management, including monthly operating system, database, and web application scanning reports. They also conduct an Annual Assessment and report incidents. Please refer to the FedRAMP Continuous Monitoring Strategy Guide [PDF - 1.11MB] for a list of all continuous monitoring deliverable requirements and to the FedRAMP Continuous Monitoring Performance Management Guide [PDF - 800KB] for guidance on continuous monitoring and ongoing authorization in support of maintaining a security authorization that meets the FedRAMP requirements.
All of the false positives found during the Annual Assessment should be added to the Plan of Action and Milestones (POA&M). If they are approved before the SAR is closed/signed, they are moved to the “Closed POA&M Items” tab. If they have not been approved, they should remain in the “Open POA&M Items” tab until approved. Then, at least annually during assessment, the false positives should be evaluated for continued false positive status. For more information on handling the Annual Assessment and scan findings review the FedRAMP Continuous Monitoring Strategy Guide [PDF - 1.11MB].
A change in infrastructure would be considered a significant change that would need to be evaluated for the scope of the change, impact on the risk posture, and could possibly result in the need for re-authorization. See the FedRAMP Program Management Office’s (PMO’s) Significant Change Policies and Procedures guidance [WORD - 563KB] for more information.
No. Agencies cannot require a JAB P-ATO as a requirement to bid on a federal contract. Federal agencies cannot include a JAB P-ATO as a condition of the contract as no agency can commit the JAB to issuing a P-ATO.
Program offices seeking to expedite a FedRAMP Authorization can consider source selection criteria that can be used in evaluating offerors that may already have a JAB P-ATO. Inclusion of such evaluation criteria should be discussed with the agency acquisition IPT, including appropriate legal representation.
FedRAMP requirements apply to all federal agencies when federal information is collected, maintained, processed, disseminated, or disposed of by Cloud Service Providers. Federal agencies are responsible for ensuring the FedRAMP requirements are met. Contractors are held accountable for performance written into a contract. Program and project managers must include FedRAMP requirements in performance criteria, deliverables, and other appropriate performance outcomes to facilitate inclusion in contract awards.
No. The FedRAMP process builds on the NIST FISMA baseline controls by removing requirements that are not applicable to commercial entities and replacing those with controls more appropriate for ensuring security related to protecting information maintained on behalf of the federal government.
Perhaps. FedRAMP Ready means a CSP has expressed an interest in becoming a federal provider by sharing information with the federal government that indicates they can meet several of the baseline FedRAMP criteria. FedRAMP Ready does not mean the vendor has achieved FedRAMP Authorization via the JAB or an agency.
In some cases, but only if there are an adequate number of vendors to allow for effective competition. Inclusion of FedRAMP Authorization as a condition of contract award or use as an evaluation factor should be discussed with the agency acquisition IPT, including appropriate legal representation.
Yes. If an agency has constraints and/or requirements for specific data locations (e.g., data-at-rest), the agency should make those specific requirements known through the solicitation process. FedRAMP does specify data location requirements in the High baseline as part of control SA-9 (5); however, FedRAMP does not provide or specify data location requirements for the other baselines. Beyond FedRAMP, other federal statutes, regulations, or policies may apply.
No. Federal agencies have the responsibility and discretion to include any requirements necessary to protect information. FedRAMP sets a baseline for protecting federal information in a cloud environment.
FedRAMP requires CSPs to describe their organization’s personnel screening requirements. If an agency has requirements for federal background investigations, or additional screening and/or citizenship and physical location (e.g., U.S. citizens in CONUS offices only), then those requirements would need to be specified in the solicitation language, which may affect bid pricing.