FedRAMP – For Cloud Computing
FedRAMP process
- Initiate-Agency checks whether CSP has existing ATO from JAB/other agency if YES asks for the SA&A package for review, if NO initiates a request to tell FeRAMP PMO whether CSP will be pursing an agency ATO or JAB ATO
- Apply: CSP applies to FeRAMP PMO to become FeRAMP Compliant or can be sponsored by an agency to become FeRAMP Compliant
- Implement-CSP implements FedRAMP baseline security controls in accordance with their system categorization
- Document- CSP develops an SSP to document controls-CMP, CP and CP Test
- Access
- Categorize system
- 3PAO Create a Security Assessment Plan
- 3PAO Perform initial and periodic assessments of CSP security controls
- 3PAO Conduct security tests and produce a Security Assessment Report and POAM
- Authorize-Agency reviews SA&A package (SAR, POAM and SSP) to other issue an ATO, Interim ATO, Denial an ATO or leverage existing ATO from JAB-(Agency ATO or JAB ATO)
- Monitor
- Agency and PMO staff review continuous monitoring artifacts available in the FedRAMP secure repository periodically
- CSPs make continuous monitoring artifacts available in the FedRAMP secure repository
- Report-Agencies report CSP who they think cannot meet FeRAMP requirement
- Main FedRAMP page http://cloud.cio.gov/fedramp
- Cloud system most of the time are categorized as Moderate or Low
- All the templates are provided on the main FedRAMP page
error: Content is protected !!
Login
Accessing this course requires a login. Please enter your credentials below!