FedRAMP
Contents
Full Title
The Federal Risk and Authorization Management Program (FedRAMP) applies to all cloud service purchased by the civilian US government.
Context
FedRAMP is a US government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. In 2011, the Office of Management and Budget (OMB) released a memorandum establishing the Federal Risk and Authorization Program (FedRAMP) “to provide a cost-effective, risk-based approach for the adoption and use of cloud services to Executive departments and agencies”. The General Services Administration (GSA) established the FedRAMP Program Management Office (PMO) in June 2012. The FedRAMP PMO mission is to promote the adoption of secure cloud services across the Federal Government by providing a standardized approach to security and risk assessment. Per the OMB memorandum, any cloud services that hold federal data must be FedRAMP Authorized. FedRAMP prescribes the security requirements and process cloud service providers must follow in order for the government to use their service.
Solutions
- Office of Management and Budget Releases Draft Memorandum for Modernizing the Federal Risk and Authorization Management Program (FedRAMP) published by the White House on 2023-10-27
- FedRAMP reform measures enacted as Biden signs NDAA into law 2022-12-23 as part of huge funding bill which enables agencies to assume approved software is safe.
- Starting in fiscal year 2023 (2022-10-01) any “Federal Civilian Executive Branch” system must identify assets (which is defined as an IP address) and vulnerabilities. https://www.cisa.gov/binding-operational-directive-23-01
- Most cloud providers (AWS,Azure, etc) have special "FED only" clouds.
- Google has achieved IL4 on its entire cloud offering.
