FedRAMP is the result of close collaboration with cybersecurity and cloud experts from GSA, NIST, DHS, DOD, NSA, OMB, the Federal CIO Council and its working groups, as well as private industry. Additional information on the FedRAMP governance can be found here.
The FedRAMP assessment process is initiated by agencies or cloud service provider (CSPs) beginning a security authorization using the FedRAMP requirements which are FISMA compliant and based on the NIST 800-53 rev3 and initiating work with the FedRAMP PMO.
CSPs must implement the FedRAMP security requirements on their environment and hire a FedRAMP approved third party assessment organization (3PAO) to perform an independent assessment to audit the cloud system and provide a security assessment package for review.
The FedRAMP Joint Authorization Board (JAB) will review the security assessment package based on a prioritized approach and may grant a provisional authorization. Federal agencies can leverage CSP authorization packages for review when granting an agency Authority to Operate (ATO) saving time and money.
Chief Information Officers from the Department of Defense, the Department of Homeland Security, and the General Services Administration serve on the Joint Authorization Board (JAB).
FedRAMP duties and responsibilities for the JAB
How Can We Help You with your FedRAMP Needs?
ControlCase can help with providing advisory services. In order to assure our independence same organization cannot provide both advisory and assessments. As an advisor we can assist CSP’s and federal agencies with understanding the requirements, impacts to their business/agencies, and best practice approaches to getting FedRAMP certified or leveraging FedRAMP approved CSP’s.