FedRAMP – For Cloud Computing Q4-2024

FedRAMP process

  • Initiate-Agency checks whether CSP has existing ATO from JAB/other agency if YES asks for the SA&A package for review, if NO initiates a request to tell FeRAMP PMO whether CSP will be pursing an agency ATO or JAB ATO
  • Apply: CSP applies to FeRAMP PMO to become FeRAMP Compliant or can be sponsored by an agency to become FeRAMP Compliant
  • Implement-CSP implements  FedRAMP baseline security controls in accordance with their system categorization
  • Document- CSP develops an SSP to document controls-CMP, CP and CP Test
  • Access
    • Categorize system
    • 3PAO Create a Security Assessment Plan
    • 3PAO Perform initial and periodic assessments of CSP security controls
    • 3PAO Conduct security tests and produce a Security Assessment Report and POAM
  • Authorize-Agency reviews SA&A package (SAR, POAM and SSP) to other issue an ATO, Interim ATO, Denial an ATO or leverage existing ATO from JAB-(Agency ATO or JAB ATO)
  • Monitor
    • Agency and PMO staff review continuous monitoring artifacts available in the FedRAMP secure repository periodically
    • CSPs make continuous monitoring artifacts available in the FedRAMP secure repository
  • Report-Agencies report CSP who they think cannot meet FeRAMP requirement
  • Main FedRAMP page http://cloud.cio.gov/fedramp
  • Cloud system most of the time are categorized as Moderate or    Low
  • All the templates are provided on the main FedRAMP page
error: Content is protected !!