Federal Government / Cloud Security Program

FedRAMP

Federal Risk and Authorization Management Program

Legally Required Featured Framework

Government-wide program providing standardized approach to security assessment, authorization, and continuous monitoring for cloud computing products and services that process federal information.

Executive Summary

FedRAMP enables federal agencies to securely adopt cloud technologies while maintaining rigorous security standards by allowing Cloud Service Providers to obtain a single authorization that agencies can reuse. FedRAMP is mandatory for all federal executive agency cloud deployments at Low, Moderate, and High security impact levels. Current OMB policy: M-24-15 (July 2024).

Comprehensive Documentation

Federal Risk and Authorization Management Program (FedRAMP)

Overview

FedRAMP is a government-wide program that provides a standardized, reusable approach to security assessment, authorization, and continuous monitoring for cloud computing products and services (IaaS, PaaS, SaaS) that process federal information.

Official Home: https://www.fedramp.gov/
Current Policy: OMB Memorandum M-24-15 (July 25, 2024)
Congressional Authority: FedRAMP Authorization Act (FY23 NDAA, December 2022)
Revision: Revision 5 (based on NIST SP 800-53 Rev. 5)

Program History

Original Establishment


  • Date: December 8, 2011

  • Original Memorandum: "Security Authorization of Information Systems in Cloud Computing Environments"

  • Purpose: Safely accelerate federal cloud adoption and avoid duplicating security assessment efforts


Congressional Codification


  • FedRAMP Authorization Act: Enacted as part of James M. Inhofe National Defense Authorization Act for FY 2023 (December 2022)

  • Congressional Authority: 44 U.S.C. Sec. 3554

  • Effect: Codified FedRAMP as "authoritative standardized approach to security assessment and authorization for cloud computing products and services"


Current Policy Update


  • OMB Memorandum M-24-15: "Modernizing the Federal Risk and Authorization Management Program"

  • Issuance Date: July 25, 2024

  • Effective Date: July 25, 2024

  • Effect: Replaces 2011 memorandum; establishes new governance structure and modernization initiatives including FedRAMP 20x


Current Status (November 2025)


  • 476 Authorized Systems

  • 77 Systems In Process

  • 72 Systems Ready (FedRAMP Ready designation)


Authorization Levels

FedRAMP operates at three security impact levels defined by FIPS Publication 199:

LOW IMPACT LEVEL


  • Definition: Cloud services where loss of confidentiality, integrity, or availability would have limited adverse effects

  • Examples: General administrative information, low-sensitivity business data

  • Baseline Controls: FedRAMP Low baseline (1 additional control above NIST SP 800-53)

  • Authorization Path: Agency Authorization or FedRAMP Tailored


MODERATE IMPACT LEVEL


  • Definition: Cloud services where loss would result in serious adverse effects on agency operations, assets, or individuals

  • Examples: Personally Identifiable Information (PII), business-sensitive information, operational data

  • Market Prevalence: Accounts for majority of FedRAMP authorizations

  • Baseline Controls: FedRAMP Moderate baseline (17 additional controls above NIST SP 800-53)

  • Authorization Paths: Agency Authorization


HIGH IMPACT LEVEL


  • Definition: Cloud services where loss could result in severe or catastrophic adverse effects

  • Examples: CUI, sensitive financial systems, law enforcement data, health systems, critical infrastructure

  • Baseline Controls: FedRAMP High baseline (22 additional controls above NIST SP 800-53)

  • Authorization Paths: Agency Authorization


Key Requirements

1. Third Party Assessment Organization (3PAO) Assessment


  • Role: Independent assessment organization ISO/IEC 17020 accredited to conduct FedRAMP security assessments

  • Requirement: Must maintain ISO/IEC 17020 accreditation and demonstrate FedRAMP performance standards

  • Deliverable: Security Assessment Report (SAR) documenting verification of CSP control implementation


2. Continuous Monitoring (ConMon)


  • Requirement: Mandatory ongoing security monitoring throughout authorization lifecycle

  • Frequency: Monthly continuous monitoring deliverables required

  • Components:

- Vulnerability scan results
- Updated Plan of Actions and Milestones (POA&M)
- System inventory updates
- Security incident reports
- Significant Change Requests (SCRs)

3. Annual Assessment


  • Requirement: Every FedRAMP-authorized CSP must undergo annual security assessment per control CA-2

  • Scope: Selected controls tested annually, plus additional controls selected by Authorizing Official

  • Deliverable: Updated SAR submitted annually


4. Plan of Actions and Milestones (POA&M)


  • Requirement: CSP must establish, maintain, and monthly update POA&M per FedRAMP template

  • Content: All scan findings documented; each unique vulnerability tracked as individual POA&M item

  • Submission: Monthly to Authorizing Official for review and approval


Baseline Controls

Control Baseline Structure


FedRAMP baselines are derived from NIST Special Publication SP 800-53, Revision 5 with FedRAMP-specific additional controls to address government-wide cloud security requirements.

NIST SP 800-53 Rev. 5 Integration


  • Source: NIST SP 800-53 Rev. 5 - "Security and Privacy Controls for Information Systems and Organizations"

  • Application: FedRAMP baselines select specific controls from complete NIST SP 800-53 control catalog


FedRAMP-Specific Additional Controls by Impact Level

LOW IMPACT BASELINE:

  • NIST Low baseline controls PLUS 1 additional FedRAMP-specific control


MODERATE IMPACT BASELINE:
  • NIST Moderate baseline controls PLUS 17 additional FedRAMP-specific controls

  • Enhanced protection for moderate-risk federal systems

  • Accounts for majority of federal cloud deployments


HIGH IMPACT BASELINE:
  • NIST High baseline controls PLUS 22 additional FedRAMP-specific controls

  • Maximum security protections for most sensitive unclassified federal data


FedRAMP Tailored Baseline (LI-SaaS)


  • Target: Low-Impact Software-as-a-Service applications

  • Requirements:

- Must be SaaS offering
- Low-security-impact per FIPS PUB 199
- Hosted within FedRAMP-authorized PaaS/IaaS
- Does not store PII beyond login requirements

Authorization Paths

CURRENT AUTHORIZATION MODEL: "ONE AUTHORIZATION"

Per OMB Memorandum M-24-15, FedRAMP transitioned from historical JAB Provisional ATO model to unified "One Authorization" model.

AGENCY AUTHORIZATION (Current Primary Path)


  • Definition: CSP partners with federal agency to achieve FedRAMP authorization

  • Process:

- Agency sponsors authorization effort
- Agency serves as Authorizing Official (AO)
- 3PAO conducts independent assessment
- Agency reviews SAR and security package
- Agency issues Authority to Operate (ATO)
  • Timeline: Typically 6-12 months depending on complexity

  • Reusability: Other agencies can reuse approved security package ("do once, use many")


FedRAMP READY (Optional Pre-Authorization Designation)


  • Definition: Optional step where CSP demonstrates readiness for authorization

  • Process:

- CSP works with FedRAMP-recognized 3PAO
- Completes Readiness Assessment Report (RAR)
- FedRAMP PMO reviews and approves RAR
  • Availability: Moderate and High impact levels only

  • Validity: One calendar year


FedRAMP 20X (Emerging Modernized Approach)


  • Definition: New cloud-native authorization approach under development

  • Status: Phase Two in development as of 2025

  • Features: Automation, modernization, streamlined assessment

  • Announcement: GSA announced FedRAMP 20x in March 2025


FedRAMP Marketplace

Official URL: https://marketplace.fedramp.gov/

Purpose: Searchable database of:

  • Cloud Service Offerings (CSOs) with FedRAMP designations

  • Federal agencies using FedRAMP Authorized CSOs

  • FedRAMP-recognized Third Party Assessment Organizations (3PAOs)


Marketplace Designations:
  1. AUTHORIZED - Successfully completed FedRAMP authorization

  2. IN PROCESS - Actively working toward authorization

  3. READY - 3PAO attests CSP readiness; RAR approved by FedRAMP


Current Status:
  • 476 Authorized CSOs

  • 77 In Process

  • 72 Ready


Scope

IN SCOPE FOR FedRAMP

Cloud computing products and services (IaaS, PaaS, SaaS) that:

  • Create, collect, process, store, or maintain Federal information

  • Are offered as shared services (shared responsibility model)

  • Are available for multi-agency use or support federal operations


Examples:
  • Cloud-based email systems for federal agencies

  • Internal data search and retrieval systems

  • Sensitive messaging platforms for government work

  • Shared SaaS applications supporting federal operations

  • Cloud infrastructure (IaaS/PaaS) hosting federal systems


OUT OF SCOPE FOR FedRAMP

The following are explicitly outside FedRAMP requirements:

  1. Single-Agency Systems - Cloud infrastructure used exclusively by one agency

  2. Social Media and Communications Platforms - Public-facing social media for communications

  3. Search Engines and Information Providers - Services providing only publicly available information

  4. Negligible Risk Services - Systems whose compromise poses insignificant operational risk

  5. Widely Available Services (Non-Federal) - Commercial services providing only general information


Enforcement

Mandatory Requirement for Federal Agencies

FedRAMP is MANDATORY for all executive agency cloud deployments and service models at Low, Moderate, and High risk impact levels.

Authority:

  • OMB Memorandum M-24-15 establishes mandatory requirement

  • 44 U.S.C. Sec. 3554 (FISMA) requires agency information security protections

  • FedRAMP Authorization Act (FY23 NDAA) codifies FedRAMP as authoritative standard


Contracting Officer Authority:
  • Cannot award contracts without FedRAMP authorization at required level

  • Cannot exercise contract options without current authorization

  • Cannot extend contract performance periods without valid certificate


Continuous Monitoring Enforcement:
  • CSPs must submit monthly deliverables

  • 3PAOs conduct annual security assessments

  • Non-compliance can result in:

- Corrective Action Plans (CAPs)
- Suspension of authorization
- Removal from FedRAMP Marketplace
- Agency ATO revocation

Massachusetts Perspective

State Agency Applicability


FedRAMP is a federal government program for federal agencies and their CSPs.

Massachusetts Agencies Using Federal Grants/Funding:

  • State agencies administering federal grant programs must comply with federal data handling requirements

  • If processing federal information, cloud services may trigger FedRAMP requirements

  • Examples: State health agencies processing federal Medicaid data, state education agencies managing federal Title I grants


Massachusetts Cloud Service Providers Serving Federal Customers:
  • Massachusetts-based CSPs seeking federal customers MUST achieve FedRAMP authorization

  • Authorized Massachusetts CSPs appear on FedRAMP Marketplace

  • Must meet NIST SP 800-53 Rev. 5 baseline controls plus FedRAMP-specific additions


No Direct State Mandate:
  • Massachusetts does not have state-level equivalent to FedRAMP

  • State agencies do not require FedRAMP authorization for state-only data

  • State compliance managed by state IT governance structures


Related Frameworks

FISMA (Federal Information Security Modernization Act)


  • Authority: 44 U.S.C. Sec. 3554 (updated 2014)

  • Relationship: FedRAMP is FISMA applied to cloud services

  • CSP Compliance: FedRAMP satisfies FISMA requirements for cloud


NIST SP 800-37 Rev. 2 - Risk Management Framework


  • Title: "Risk Management Framework for Information Systems and Organizations"

  • RMF Steps: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor

  • FedRAMP Connection: FedRAMP authorization follows RMF methodology


NIST SP 800-53 Rev. 5 - Security and Privacy Controls


  • Title: "Security and Privacy Controls for Information Systems and Organizations"

  • FedRAMP Basis: FedRAMP baselines directly derived from NIST SP 800-53 Rev. 5

  • 18 Control Families: Access Control, Identification and Authentication, Incident Response, etc.


OSCAL (Open Security Controls Assessment Language)


  • Developed By: NIST in collaboration with industry

  • Purpose: Machine-readable formats (XML, JSON, YAML) for security control assessments

  • Benefits: Automation, reduces audit duration, minimizes human error

  • OMB M-24-15 Requirement: Federal agencies must implement OSCAL compatibility by July 25, 2026


Effective Dates and Implementation

Original FedRAMP Establishment


  • Date: December 8, 2011

  • Status: Rescinded by M-24-15


FedRAMP Authorization Act


  • Enacted: December 2022 (FY23 NDAA)

  • Effect: Codified FedRAMP as authoritative standard

  • Status: Current law


Current OMB Policy - M-24-15


  • Issuance Date: July 25, 2024

  • Effect: Replaces 2011 memorandum; establishes new governance and modernization vision

  • Key Implementation Deadlines:

- By January 21, 2026: GSA must implement machine-readable artifact procedures
- By July 25, 2026: Federal agencies must implement OSCAL compatibility

FedRAMP Rev. 5 Baseline Transition


  • Approval Date: May 2023

  • Release Date: June 15, 2023

  • Requirements: New authorizations must use Rev. 5 baselines

  • Basis: NIST SP 800-53 Rev. 5 (released December 2020)


Key Takeaways

  1. FedRAMP is Mandatory: Federal agencies must obtain FedRAMP authorization for all cloud services within scope

  2. "Do Once, Use Many": Single CSP authorization can be reused by multiple agencies

  3. Three Impact Levels: Security controls vary by data sensitivity (Low, Moderate, High)

  4. Modernization in Progress: FedRAMP 20x introduces cloud-native automation; OSCAL integration mandated by 2026

  5. 3PAO Assessment Required: Independent third-party assessment organization must verify security controls

  6. Continuous Monitoring: Authorization not one-time; CSPs must submit monthly monitoring data

  7. Marketplace Access: FedRAMP Marketplace is single source of truth for authorized federal cloud services

  8. Massachusetts Connection: MA-based CSPs seeking federal customers must achieve FedRAMP authorization

Applicable Industries

Cloud Service Providers (IaaS, PaaS, SaaS)Federal AgenciesIT Service Providers (Federal)Software as a Service (SaaS)Infrastructure as a Service (IaaS)Platform as a Service (PaaS)Managed Service Providers (Federal)

Company Size

undefined-undefined employees

Effective Date

12/8/2011

Penalties for Non-Compliance

No direct civil penalties. Enforcement through: Contract ineligibility (agencies cannot award contracts without FedRAMP authorization), removal from FedRAMP Marketplace, suspension of authorization, agency ATO revocation, contract termination.

For Massachusetts Companies

This is a mandatory federal framework that applies to Massachusetts companies in applicable industries. Non-compliance can result in significant penalties.

Applicable Massachusetts Industries

Cloud Service Providers (IaaS, PaaS, SaaS)
Federal Agencies
IT Service Providers (Federal)
Software as a Service (SaaS)
Infrastructure as a Service (IaaS)
Platform as a Service (PaaS)
Managed Service Providers (Federal)
View MA Compliance OverviewBrowse by Industry

Official Resources

Primary Source

https://www.fedramp.gov/

Additional Official Sources

Enforcement Agency

GSA (General Services Administration), OMB (Office of Management and Budget), FedRAMP Program Management Office (PMO), Federal Agency Authorizing Officials