The Federal Risk and Authorization Program (FedRAMP) is a risk management program for large outsourced and multi-agency information systems used by the U.S. government. FedRAMP authorizes and continuously monitors IT services that are used by multiple federal departments and agencies.
FedRAMP was created to support the government’s cloud computing plan. It is intended to facilitate the adoption of cloud computing services amongst federal agencies by evaluating those services offered by vendors on behalf of the agencies. The evaluations will be based on a unified risk management process that includes security requirements agreed upon by the federal departments and agencies. Because the services are vetted by FedRAMP, each agency does not need to conduct its own risk management program. This reduces duplication of effort, the time involved in acquiring services and costs. However, agencies are still encouraged to evaluate services further based on their own use, and privacy and security requirements. The plan is to eventually expand FedRAMP beyond cloud services.
Vendors cannot directly request FedRAMP authorization. In order to be evaluated, an agency must sponsor the vendor’s system/service and submit it to FedRAMP for review by a joint authorization board. In the case of cloud services, the joint authorization board consists of senior executives and technical staff members from the Defense and Homeland Security departments, the General Services Administration and the sponsoring agency.
While FedRAMP is intended to be a government-wide initiative, agencies’ involvement is voluntary.
Learn more about FedRAMP:
Tim Mather explains how FedRAMP fits in with other cloud governance initiatives.