Page Info
Description: A broad overview of how agencies leverage (use) FedRAMP Certifications within their information security programs for cloud services.
Purpose: Introduces agencies to the basic concepts and expectations of using FedRAMP Certifications, highlighting the need to treat cloud services as a third-party service that is used in an agency information system (not something that becomes an agency information system itself). Also make sure they are aware of government-wide implications.
Using a FedRAMP Certified Cloud Service¶
FedRAMP certifies cloud services. Agencies authorize Federal Information Systems of which one or more cloud services may be a part. Agencies can use FedRAMP 20x certifications to review the security of a cloud service, but the agency authorization should authorize the agency’s implementation of the cloud service, not the cloud service itself. The agency should not require a 20x-certified cloud service to provide Rev5 artifacts in support of an agency Rev5 authorization package. The agency should reference evidence provided in the 20x certification to support their agency authorization. The agency authorization can take any form approved by the agency, whether that is a Rev5 authorization or a process that more closely resembles 20x.