Summary Q2-2023

FedRAMP process

  • Initiate-Agency checks whether CSP has existing ATO from JAB/other agency if yes ask for the SA&A package for review, if no initial a request to tell FeRAMP PMO whether CSP will be pursing an agency ATO or JAB ATO
  • Apply: CSP applies to FeRAMP PMO to become FeRAMP Compliant or can be sponsored by an agency to become FeRAMP Compliant
  • Implement-CSP implements  FedRAMP baseline security controls  in accordance with their system categorization
  • Document- CSP develops an SSP to document controls-CMP, CP and CP Test
  • Assess
    • Categorize system
  • 3PAO Create a Security Assessment Plan
  • 3PAO Perform initial and periodic assessments of CSP security controls
  • 3PAO Conduct security tests and produce a Security Assessment Report and POAM
  • Authorize-Agency reviews SA&A package (SAR, POAM and SSP) to other issue an ATO, Interim ATO, Denial an ATO or leverage existing ATO from JAB-(Agency ATO or JAB ATO)
  • Monitor
    • Agency and PMO staff review continuous monitoring artifacts available in the FedRAMP secure repository periodically
  • Make continuous monitoring artifacts available in the FedRAMP secure repository
  • Report-Agencies reports CSP who they think cannot meet FeRAMP requirement
  • Main FedRAMP page http://cloud.cio.gov/fedramp
  • Cloud system can only be categorized as Moderate or Low
  • All the templates are provided on the main FedRAMP page

FEdRAMPĀ And RMF Short Version

Complete Version

RMFFedRAMPARTIFACTSRESPONSIBILITY
N/AInitiateSA&A PackageAgency(Review Package)
N/AApplyRequest FormAgency or Cloud Service Provider(CSP)
CategorizationImplementFIPS199, RAR, PTA, PIA, SORNand E-AuthenticationThird Party Assessor Organization(3PAO)
Control SelectionImplementSecurity Control baselineThird Party Assessor Organization(3PAO)
ImplementationDocumentSSP, CMP, CP, and CP testCloud Service Provider(CSP)
AssessmentAssessSAP, ST&E, and SARThird Party Assessor Organization(3PAO)
AuthorizationAuthorizePOAM and ATOJoint Authorization Board(JAB) or Agency
Continuous MonitoringMonitorPOAM, SSP, and SARJAB(review package), Agency(review package) and CSP (Provide package)
N/AReportN/AAgency
error: Content is protected !!