Skip to main content

Governance

How FedRAMP is Governed

FedRAMP is governed by different executive branch entities that work in a collaborative manner to develop, manage, and operate the program. The governing entities of FedRAMP include:

Joint Authorization Board (JAB)

The JAB is the primary governance and decision-making body for FedRAMP. The JAB consists of the Chief Information Officers from the Department of Defense (DoD), the Department of Homeland Security (DHS), and the General Services Administration (GSA). View the JAB Charter [PDF - 248KB]. The JAB is responsible for:

  • Defining and regularly updating the FedRAMP security authorization requirements
  • Approving accreditation criteria for Third Party Assessment Organizations (3PAOs)
  • Reviewing authorization packages for cloud services based on the priority queue
  • Granting provisional authorizations for cloud services that can be used as an initial approval that Executive departments and agencies leverage in granting security authorizations and an accompanying Authority to Operate (ATO) for use
  • Ensuring that provisional authorizations are reviewed and updated regularly and notify Executive departments and agencies of any changes to provisional authorizations including removal of such authorizations
  • Establishing and publishing priority queue requirements for authorization package reviews

Office of Management and Budget (OMB)

The governing body that issued the FedRAMP policy memo which defines the key requirements and capabilities of the program

Chief Information Officer (CIO) Council

Disseminates FedRAMP information to Federal CIOs and other representatives through cross-agency communications and events

National Institute for Standards and Technology (NIST)

Advises FedRAMP on Federal Information Security Modernization Act (FISMA) compliance requirements