Table of Contents FedRAMP: Questions and Answers
Q. What is FedRAMP?
A. The Federal Risk and Authorization Management Program (FedRAMP) is a US government program that provides a unique approach toward security assessment, authorization, and continuous monitoring for cloud products and services.
Q. Is FedRAMP mandatory?
A. Yes, FedRAMP is mandatory for Federal Agency cloud deployments and service models at the low, moderate, and high risk impact levels. Additionally, Agencies must submit a quarterly report in PortfolioStat listing all existing cloud services that do not meet FedRAMP requirements with the appropriate rationale and proposed resolutions for achieving compliance.
Q. Are third-party vendors required to be FedRAMP authorized?
A. The third-party vendor does not have to be FedRAMP compliant, but there are security controls you must make sure they adhere to. If there is a connection to the 3rd party vendor, they should be listed in the System Security Plan in the Interconnection Table. You can also search through the System Security Plan template and search on “third-party” or “third party” to see all of the security controls that apply to Third Parties.
Q. What is the difference between FISMA and FedRAMP controls?
A. Both FedRAMP and FISMA use the NIST SP 800-53 security controls. The FedRAMP security controls are based on NIST SP 800-53 Revision 4 baselines and contain controls above the NIST baseline that address the unique elements of cloud computing.
Q. How will FedRAMP help make cloud computing more secure for the federal government?
A. FedRAMP requirements include additional controls above the standard NIST baseline controls in NIST SP 800-53 Revision 4. These additional controls address the unique elements of cloud computing to ensure all federal data is secure in cloud environments.
Q. Are cloud services that are listed as “In Process” considered FedRAMP compliant?
A. Cloud services “In Process” should not present themselves as FedRAMP compliant to Agencies. A cloud service posted as “In Process” on fedramp.gov only indicates that they are working with the Joint Authorization Board (JAB) or an Agency to attain a FedRAMP authorization.
Q. Does the Federal Government Audit Me?
A. No, the audit can be performed by any accredited 3rd party accredited Third Party Assessment Organization (3PAO) of your choosing.
Q. How much does FedRAMP Certification cost?
A. A company should be prepared to pay a minimum of $15,000 for a comprehensive audit, but it could range upwards of $150,000 or more as time and complexity of the audit may increase with company size.
FedRAMP: Related Links
- https://www.fedramp.gov/documents/
- https://www.fedramp.gov/training/
- http://www.dhs.gov/sites/default/files/publications/digital-strategy/25-point-implementation-plan-to-reformfederal-it.pdf
- https://www.gsa.gov/technology/government-it-initiatives/fedramp/about-fedramp
- http://www.datacenterknowledge.com/archives/2013/11/26/government-clouds-what-is-a-fedramp
