FedRAMP cloud compliance

The aim of FedRAMP is to allow US Government agencies to reap the benefits of cloud services while minimizing duplicative information security work. Cloud Service Providers (CSPs) are cloud providers offering cloud products, such as IaaS, PaaS, and SaaS for sale to the Government. These systems must meet the requirements of FISMA, and FedRAMP provides a way to streamline the independent security assessment process for maximum efficiency so organizations can engage in a cloud first strategy. In 2016, FedRAMP announced a new accelerated process that changed how the FedRAMP Joint Authorization Board (JAB) Provisional Authorizations (P-ATO) are conducted with a goal of speeding the provisional authority to operate. The goal was to create a sleeker authorization management program allowing more predictable timeline for security authorization package assessments.
FedRAMP relies on several of the NIST SP documents including 800-53 as a library of system controls and 800-37 for risk management. The streamlining occurs with an intelligent focus on which controls are managed by the CSP and which are managed by the agency purchasing the cloud services. As an example, a SaaS provider will offer the same shared physical security protections to all users of its system, due to the use of a single data center or hosting facility and this should lead to a low risk for users of that provider. Conversely, each acquiring agency is responsible for implementing appropriate password controls which are sufficiently secure.
A CSP wishing to sell services to the US Government must identify which controls are relevant to the services being sold, and then engage a qualified Third Party Assessment Organization (3PAO – not to be confused with the robot from Star Wars!) to conduct an assessment that will show impact level. Once this assessment has been conducted on behalf of one US Government agency, other agencies may rely on the report of that assessment without having to conduct their own, saving time and money.