What is FedRAMP?

FedRAMP stands for Federal Risk and Authorization Management Program. The goal of FedRAMP compliance is to standardize security controls revolving around cloud services and it applies to those federal agencies who have adopted cloud services (mandatory) as well as their cloud service providers. 

FedRAMP compliance allows cloud service providers the ability to contract with multiple government agencies without having to meet different standards for each agency, as was the case before. FedRAMP is now the lone security framework used for all government agencies.

FedRAMP & NERC CIP Compliance

Who Should Pursue FedRAMP Compliance?

Cloud computing services or software-as-a-service (SaaS) applications who intend on working with US government agencies must demonstrate that their systems are FedRAMP compliant.

FedRAMP Compliance Process

How To Achieve FedRAMP Compliance

There are two ways to achieve FedRAMP authorization. The first is by being sponsored by an existing government agency, and working with that agency to achieve compliance. The second is by submitting a request to the FedRAMP Job Authorization Board (JAB), which is the governing body for FedRAMP. Each route has its own challenges. On one hand finding a government agency to sponsor you go the agency route can be difficult and time consuming. On the other hand, attempting the JAB route is highly competitive and rigorous with the JAB only selecting approximately 12 companies per year to run through the FedRAMP authorization process.

FedRAMP Requirements

In order to achieve FedRAMP certification, cloud service providers or SaaS applications must meet the following standards:

  1. Complete FedRAMP documentation including the FedRAMP SSP.
  2. Implement controls in accordance with FIPS 199 categorization.
  3. Have system assessed by a FedRAMP Third Party Assessment Organization.
  4. Remediate findings from assessment.
  5. Develop a Plan of Action and Milestones.
  6. Obtain Authorization through agency or JAB process (outlined above)
  7. Implement continuous monitoring, including monthly vulnerability scans.
In addition to this list, some of these steps have further requirements that need to be met. For example, when going through the JAB process, a desired characteristic for priortized companies is that SOC2, ISO27001, and PCI certifications should already be in place.
Managed Compliance Advisor

Let Red Lion Assist in your FedRAMP Compliance

Do you still have questions regarding FedRAMP? Our compliance professionals can help you to understand and comply with FedRAMP, regardless of complexity.

Contact Us Today

Other Regulations & Services That You May Be Interested In:


Systems and Organizational Controls

NIST 800-171

National Institute for Standards and Technology, series 800-171
Translate »