Skip to main content

Updated Frequently Asked Questions

The FedRAMP PMO has added eight additional Frequently Asked Questions (FAQs) to the FedRAMP.gov website. We took these questions from your emails and inquiries into the FedRAMP’s requirements and process.

Here are the new FAQs:

Are third-party vendors required to be FedRAMP authorized?

The third-party vendor does not have to be FedRAMP compliant, but there are security controls you must make sure they adhere to. If there is a connection to the 3rd party vendor, they should be list in the System Security Plan in the Interconnection Table. You can also search through the System Security Plan template and search on “third-party” or “third party” and see all of the security controls that apply to Third Parties.

What is the definition of ‘Cloud Computing’ as included in the FedRAMP memo?

The NIST SP 800-145 definition is: “Cloud computing is a model for enabling convenient, on-demand network access to …”

Contracted federal service providers are required to meet FedRAMP even if their access to the network requires human interaction. On-demand self service (automatic access to server time and network storage, etc. without requiring human interaction) is only 1 of the 5 essential characteristics.

Who are the Authorized FedRAMP Approvers for Federal agencies?

The FedRAMP approver to sign off on your access request form is either your Agency’s CISO or DAA. If the form is signed by a DAA, that person must be at a level that has the authority to grant an ATO for a system.

Unfortunately, FedRAMP does not keep a listing of agency CISOs or DAAs. You will have to get that information from your agency.

My company is looking to obtain FedRAMP certification for one of our existing cloud products. I have Executive support and a Government agency sponsor. Can you please provide my access to the resources for registering our company and the product?

It is best to start with the online training offered by FedRAMP. These courses will help you understand the rigor involved in both the process and documenting a system. These courses are free and on-demand, so you may take them at your leisure.

In order to learn about FedRAMP’s requirements, please review the FedRAMP website for an understanding of the program and how to become compliant. Begin by reading the Program Overview, then the section on Cloud Service Providers, and finally the Guide to Understanding FedRAMP.

I am with a company new to the Federal Cyber-Security market and need to understand the applicability of FedRAMP and to better understand the FedRAMP process.

If you would like to learn more about the program, please review the FedRAMP website for an understanding of the program and how to become compliant. Begin by reading the Program Overview, then the section on Cloud Service Providers, and finally the Guide to Understanding FedRAMP. FedRAMP also offers free, online training that may be beneficial for your endeavor.

How does a company become a 3PAO?

The American Association for Laboratory Accreditation (A2LA) accredits FedRAMP 3PAOs with the FedRAMP PMO providing final approval. Please contact A2LA for more information on becoming an accredited FedRAMP 3PAO. Either call or email Ashley Kamauf, the A2LA Accreditation Officer, at (301) 644 3215 or akamauf@A2LA.org. She will be able to provide you with more information.

Is FedRAMP a new set of controls?

There are no “new” controls for FedRAMP. The FedRAMP security controls are based on NIST SP 800-53 R4 controls for low and moderate impact systems and contain controls above the NIST baseline for low and moderate impact systems that address the unique elements of cloud computing

Who is responsible for the cloud security controls?

The responsibility for the controls will depend on the solution. In summary, the CSP and agency will be responsible for some specific controls, and both parties will share responsibility for other controls. The CSP develops a Control Implementation Summary (CIS) at the beginning of the process that contains a matrix outlining which controls are CSP-provided, agency/customer-provided, and hybrid.  The CSP later develops SSP that further describes the responsibilities for the controls and how exactly the control is implemented by each responsible entity. Both the CIS template and the SSP template are on the FedRAMP website.

Page of