Getting Started with FedRAMP as a Federal Agency¶

Build Agency Policy¶

In addition to a plethora of new terminology and some new concepts, FedRAMP 20x imposes a very different set of requirements on Cloud Service Providers. It is likely that many Agency policies will need to be updated to align with the new FedRAMP guidance. These updates are mandated by OMB M-24-15 and we fully expect Inspectors General to enforce this requirement on agencies starting this year. FedRAMP understands that navigating the sometimes complex statutory requirements for approving information systems can be difficult, and we are committed to providing guidance, tools, and documentation to help Agencies through this process.

Communications¶

Continuous communication between FedRAMP, Cloud Service Providers, and the Agency is critical to the successful implementation of FedRAMPs mission and allows the Agency to get the maximum benefit. The following communication best practices will benefit both the Agency and the FedRAMP community:

• Agencies SHOULD establish and maintain a dedicated, shared FedRAMP agency inbox (e.g., fedramp@agency.gov) to serve as the official point of contact for all communications between FedRAMP and the agency.
• The shared FedRAMP agency inbox SHOULD be continuously monitored by agency personnel designated to support FedRAMP certifications.
• Agencies SHOULD ensure that all correspondence related to FedRAMP certifications and continuous monitoring is routed through the shared FedRAMP agency inbox to enable continuity, accountability, and recordkeeping.
• The shared FedRAMP agency inbox SHOULD remain active and accessible even during personnel transitions to avoid communication gaps.

Best Practices¶

FedRAMP provides numerous tools and forums to support Agencies in their use of FedRAMP. Agencies should strongly consider the following best practices:

• Agencies SHOULD assign at least one federal employee to be an active participant in the FedRAMP agency liaison program.
• Agencies SHOULD contribute to FedRAMP lessons-learned reporting, including sharing risk acceptance rationales, to improve government-wide reuse and transparency.
• Agencies SHOULD participate in FedRAMP working groups, community of practice sessions, and stakeholder engagements to provide feedback and align practices across government.
• Agencies SHOULD submit agency-developed security artifacts (e.g., implementation details, system-specific configuration baselines) into the FedRAMP repository when those materials may be useful for reuse by other agencies.

FIPS 199 Security Categorization (Impact Levels)¶

It is the responsibility of the Agency to determine the correct impact categorization following the guidelines in FIPS 199. FedRAMP certifications are categorized by class. The class indicates ONLY the depth of the information provided by the CSP. It is NOT an indication that the system is appropriate or not appropriate for data of a specific FIPS 199 category.

Agencies MAY accept compensating controls or risk-acceptance decisions in cases of control misalignment between federal and external frameworks. It has long been a misconception that agencies can only use FedRAMP-certified services at the named security categorization. Agencies are able to authorize the use of cloud services at any security categorization level. The FedRAMP certification only signifies that the certified cloud service has made enough information available about their service to facilitate a risk-based decision at a security categorization. This is also why FedRAMP is moving away from FIPS 199 categorization levels in favor of class denominations.

Comments