Summary

FedRAMP process

• Initiate-Agency checks whether CSP has existing ATO from JAB/other agency if yes ask for the SA&A package for review, if no initial a request to tell FeRAMP PMO whether CSP will be pursing an agency ATO or JAB ATO
• Apply: CSP applies to FeRAMP PMO to become FeRAMP Compliant or can be sponsored by an agency to become FeRAMP Compliant
• Implement-CSP implements  FedRAMP baseline security controls  in accordance with their system categorization
• Document- CSP develops an SSP to document controls-CMP, CP and CP Test
• Assess
  • Categorize system
• 3PAO Create a Security Assessment Plan
• 3PAO Perform initial and periodic assessments of CSP security controls
• 3PAO Conduct security tests and produce a Security Assessment Report and POAM
• Authorize-Agency reviews SA&A package (SAR, POAM and SSP) to other issue an ATO, Interim ATO, Denial an ATO or leverage existing ATO from JAB-(Agency ATO or JAB ATO)
• Monitor
  • Agency and PMO staff review continuous monitoring artifacts available in the FedRAMP secure repository periodically
• Make continuous monitoring artifacts available in the FedRAMP secure repository
• Report-Agencies reports CSP who they think cannot meet FeRAMP requirement
• Main FedRAMP page http://cloud.cio.gov/fedramp
• Cloud system can only be categorized as Moderate or Low
• All the templates are provided on the main FedRAMP page

FEdRAMP And RMF Short Version

Complete Version