The Ultimate Guide to

Federal Risk and Authorization Management Program (FedRAMP)

What is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for all cloud products and services. It was created by the Joint Authorization Board (JAB) with representatives from the Department of Homeland Security (DHS), the General Services Administration (GSA), and the Department of Defense (DoD).

Protect mission-critical data

The US federal government is one of the largest buyers of cloud technology and knows that innovative Cloud Service Providers can save agencies time and resources while meeting their critical mission needs. In fact, a 2020 FedRAMP survey found that 45% of federal agencies and 52% of state and local governments are currently storing mission-critical data in the cloud, and nearly every respondent said that they use the cloud to store at least some of their systems or solutions.

In order to protect data stored in the cloud, the General Services Administration (GSA) created the Federal Risk and Authorization Management Program (FedRAMP) to provide a standardized security framework for all cloud products and services that is recognized by all executive federal agencies. Cloud Service Providers (CSPs) only need to go through the FedRAMP Authorization process once for each Cloud Service Offering (CSO) and perform continuous monitoring. Meanwhile, all agencies can review the same continuous monitoring deliverables, creating efficiencies across the government.

What is the purpose of FedRAMP?

The purpose of FedRAMP is to:

Ensure that cloud applications and services used by government agencies have sufficient security safeguards to protect federal information.

Enable the procurement of information systems/services in an efficient and cost-effective manner.

Eliminate duplicative efforts and risk management costs across government entities.

Does my business need to be FedRAMP authorized?

If your company provides cloud computing services or SaaS applications and plans on having the U.S. government as a customer, then you will need to become FedRAMP authorized. In fact, every single government contract includes standardized language for FedRAMP requirements. Don’t let the size of your company deter you, either. Over 30% of FedRAMP Cloud Service Providers are small businesses.

Did you know that Hyperproof can save you hours of time by automatically generating the SSP reports required for FedRAMP?

Demo Now

The 4 phases to the authorization process: How to get FedRAMP certified

1. Prepare and plan

There are six steps in the preparation/planning phase, and the process can take weeks or multiple months depending on the maturity of your current security compliance program.

Step 1: Establish a partnership with a federal agency

The first step is to find a federal agency that is interested in using your product and willing to go through the authorization process with you.

Step 2: Determine your authorization path

There are two paths to authorization, you can get a Provisional Authority to Operate (P-ATO) from the Joint Authority Board (JAB), or obtain an ATO letter from a federal agency.

Step 3: Determine the security impact level and security objective for your application

As a Cloud Service Provider you can be one of three levels: low, moderate, or high. Each level determines your security control requirements. More on this below.

Step 4: Implement security controls

Once you know your correct security impact level, you will need to fulfill the requirements from the FedRAMP security controls baseline.

Step 5: Document your control set

After you’ve implemented the appropriate set of controls, you’ll need to document the details in a System Security Plan.

Step 6: Prepare supporting documents

Lastly, FedRAMP requires you to submit a set of supporting documents along with your SSP. The templates for these documents can be downloaded at www.fedramp.gov.

2. Assess

Once you finish phase one, you’ll need to hire an independent assessor to test and verify your controls’ implementation and effectiveness. When the testing is completed, you’ll be issued a Security Assessment Report (SAR) that contains any vulnerabilities, threats, and risks discovered during the testing process. After you’ve reviewed the report, your assessor will share it with the security team at the agency you’re working with or with the JAB. In the meantime, you can start developing your Plan of Action & Milestones (POA&M) which addresses how you will resolve the vulnerabilities in your report and submit this to the same agency or the JAB.

3. Authorize

After the assessment and documents have been delivered, you’ll need to submit the entire security package to your authorizing official (AO) at the agency or the JAB. The AO or the JAB will review the materials and either approve them or request further testing. A final review is then conducted that decides whether you will have an Authority to Operate (ATO), and a signed ATO letter will be given to you by your Authorizing Official.

4. Monitor

Even after you receive the ATO, your work isn’t finished. To maintain the authorization, you’ll need to have continuous monitoring implemented and maintain an appropriate risk level associated with your security impact level. The agency or JAB can revoke the authorization if you fail these steps. You can learn more about the authorization using the Agency Authorization page or the FedRAMP Agency Authorization playbook.

Should I get a joint authorization board P-ATO or a FedRAMP agency P-ATO?

If your product will be used by multiple federal agencies, you should consider the JAB P-ATO. When the JAB grants the authorization, they will share this recommendation to all Federal agencies. However, getting the JAB P-ATO is no easy feat. Since the JAB has limited resources, it is only able to evaluate a select number of cloud service providers annually. This method also requires an accredited third party assessment organization (3PAO) to complete the readiness assessment — something you’ll need prior to beginning a FedRAMP assessment.

Once you are prioritized to work with the JAB and deemed FedRAMP ready, you’ll complete a System Security Plan and use your 3PAO for the full assessment, which will then submit a full package of documents to JAB. Finally, you’ll move to the authorization and monitor phase. This process can take months to complete.

On the other hand, if you want to gain authorization to only work with a single federal agency or if your product has niche demand, you can work directly with an agency to obtain a FedRAMP Agency Authority to Operate (ATO). Going this direction is quicker and somewhat less intensive than the JAB route, since you don’t have to provide proof of demand from multiple agencies or go through reviews with the JAB.

How does FedRAMP fit into your overall compliance program?

While FedRAMP is used specifically for work with the U.S. government, the controls needed to safeguard a cloud service offering are similar to those used by other infosecurity standards and certifications. In fact, the JAB used the NIST SP 800-53 catalog of controls as a baseline, although many other framework requirements will overlap. This means that if you already adhere to another information security framework (e.g., ISO 27001, NIST CSF, SOC 2® Type 2), you may already have done a lot of the work needed for FedRAMP.

GuIDE

The Compliance Operations Methodology

Manage IT risks in a disciplined, proactive manner and efficiently prove to customers that you can keep sensitive data safe.

If you’ve already implemented an information security framework in the Hyperproof platform and want to meet FedRAMP security controls baseline, the Hyperproof platform will recommend which existing controls you can leverage to fulfill them, making it significantly easier and faster to complete the standard. Conversely, the controls you implement for FedRAMP can be reused to meet the requirements of other information security standards and frameworks.

Note that FedRAMP does not supersede local or regional laws, government regulations, or other legal requirements.

What security controls does FedRAMP require?

When creating the baseline for FedRAMP, the JAB used the NIST SP 800-53 catalog of controls with certain modifications for the unique risks for cloud computing environments. It’s likely that many controls existing already in your organization will satisfy controls in the FedRAMP templates. Some controls might require you to implement new tools, while others will need changes to be made in existing systems. For a full list of requirements and controls, you can download the Security Controls Baseline. It’s important to remember that the baseline is the minimum you’ll need to do, and the agency you work with might require additional requirements above the baseline.

What security impact level and security level do I need?

FedRAMP categorizes Cloud Service Providers into three security impact levels, and each has different security control requirements.

Low Impact

In most cases, companies will be at this level if their applications do not store personal identifiable identification beyond what’s generally required for login capability, such as username, password, and email. The loss of this information such as confidentiality, integrity and availability would have limited adverse effects on an agency’s operations, assets or individuals.

Moderate Impact

This level accounts for nearly 80% of CSP applications that receive FedRAMP authorization and are most appropriate for CSOs where the loss of information would have serious adverse effects on the agency’s operations, assets, or individuals.

High Impact

High impact data is in systems where the loss of confidentiality, integrity, or availability would be severe or catastrophic. You can find this data in law enforcement and emergency services systems, financial systems, or health systems.

FedRAMP: Frequently Asked Questions

The Federal Risk and Authorization Management Program (FedRAMP) was established in 2011 to standardize the security assessment, authorization, and continuous monitoring processes for cloud products and services used by federal agencies.

The goal of FedRAMP is to ensure that cloud services meet strict security requirements, ultimately protecting federal data and promoting the adoption of secure cloud technologies across government agencies.

Hyperproof is currently pursuing FedRAMP compliance. Want to learn about our journey? Check out our podcast, Drafting Compliance.

FedRAMP certification comes with many benefits, including:

Market access

Certification enables Cloud Service Providers (CSPs) to offer their services to federal agencies, ultimately expanding their market reach.

Enhanced security

Achieving FedRAMP certification demonstrates an organization’s commitment to stringent security controls, enhancing not only overall security posture but also trust and credibility within the market. It ensures the organization adheres to a standardized set of security requirements vetted by federal agencies.

Standardization

FedRAMP simplifies the security assessment process by providing a unified approach, reducing the need for multiple assessments by different agencies. This standardization also ensures consistency in the security of cloud services used by federal agencies.

Cost savings

Certification reduces the time and resources required for individual agency assessments, leading to cost savings for both CSPs and federal agencies. The standardized approach eliminates redundancy and streamlines the authorization process.

Competitive advantage

FedRAMP certification distinguishes certified CSPs from competitors, showcasing their dedication to high-security standards and compliance with federal requirements.

FedRAMP compliance is required for any CSP that offers services to federal agencies. This includes any third-party vendors that store, process, or transmit federal data as part of their cloud-based solutions for government entities. Compliance is mandatory to ensure that cloud services meet the stringent security standards necessary to protect sensitive federal information.

NIST (National Institute of Standards and Technology) provides the foundational security controls and guidelines through NIST SP 800-53, which outlines security and privacy controls for federal information systems and organizations. FedRAMP, on the other hand, builds upon NIST guidelines by adding specific requirements and processes tailored for cloud service providers. While NIST provides the baseline controls, FedRAMP standardizes the security assessment, authorization, and continuous monitoring processes for cloud services used by federal agencies.

Starting the FedRAMP certification process involves seven key steps:

Understand requirements: Familiarize yourself with FedRAMP requirements and guidelines, including the FedRAMP security controls baseline.
Choose a path: Select the appropriate authorization path – Joint Authorization Board (JAB) or Agency Authorization.
Gap analysis: Conduct a gap analysis to identify areas needing improvement to meet FedRAMP requirements.
Develop a System Security Plan (SSP): Document your security controls and procedures in an SSP, which includes detailed information about the system’s security posture and how it meets the FedRAMP requirements.
Continuous monitoring: Implement a continuous monitoring program to regularly assess the system’s security posture.
Engage a third-party assessment organization: Work with an accredited third-party assessment (3PAO) organization to conduct an independent security assessment. This assessment includes testing the implementation of security controls.
Remediate findings: Address any findings from the 3PAO assessment to ensure compliance with FedRAMP requirements.
Submit for review: Submit your SSP and the 3PAO assessment results for review by the JAB or an authorizing federal agency.
Achieve authorization: Upon successful review, receive your FedRAMP Authorization to Operate (ATO).

FedRAMP compliance requires meeting a set of stringent security requirements.

Implement NIST SP 800-53 controls

NIST 800-53 controls must be implemented and the appropriate security controls should be applied based on the cloud service’s impact level (Low, Moderate, or High).

Document security measures

Detailed documentation must be created and maintained. This documentation includes:

System Security Plan (SSP)
Security Assessment Plan (SAP)
Security Assessment Report (SAR)
Plan of Action and Milestones (POA&M)
Continuous Monitoring Strategy

Continuous monitoring

Implement ongoing monitoring processes to ensure continuous compliance and address emerging threats. This includes regular security assessments and updates to security documentation.

Independent assessment

An organization must undergo regular assessments by an accredited Third-Party Assessment Organization (3PAO) to validate compliance. This includes initial assessments and annual reviews.

Authorization

Obtain an Authority to Operate (ATO) from a federal agency or through the Joint Authorization Board (JAB).

Low: For systems with low impact on an organization’s operations, assets, or individuals if compromised. Suitable for less sensitive information.

Moderate: For systems with moderate impact, requiring more stringent controls. Most federal cloud services fall under this category.

High: For systems with high impact involving highly sensitive data. Requires the highest level of security controls and continuous monitoring.

The time required to achieve FedRAMP authorization varies based on the organization’s complexity, readiness, and chosen authorization path. Typically, the process can take anywhere from six to eighteen months. However, the time frame can vary significantly depending on whether the organization opts for a Joint Authorization Board (JAB) Authorization or an Agency Authorization. Conducting a thorough gap analysis and preparing comprehensive documentation can help expedite the process.

FedRAMP assessments must be conducted annually. Cloud service providers are required to undergo annual security assessments by an accredited Third-Party Assessment Organization (3PAO) to ensure ongoing compliance with FedRAMP requirements. Continuous monitoring is mandatory, including monthly vulnerability scans and regular updates to the System Security Plan (SSP) to address new threats and vulnerabilities. These continuous monitoring activities are essential to maintain the authorization to operate (ATO) status.

Maintaining FedRAMP compliance involves:

Continuous monitoring: Implementing ongoing monitoring processes to detect and respond to security incidents, including monthly vulnerability scans, automated security assessments, and continuous logging and alerting.
Annual assessments: Undergoing annual assessments by an accredited 3PAO to validate ongoing compliance and ensure the security controls are effective.
Updating documentation: Regularly updating the System Security Plan (SSP) and other documentation to reflect changes in the system or environment, ensuring all controls and procedures are current and accurate.
Incident reporting: Promptly reporting any security incidents to the appropriate federal agencies and taking corrective actions, following the incident response procedures defined in the Incident Response Plan (IRP).
Plan of Action and Milestones (POA&M) management: Maintaining and addressing POA&Ms to track the remediation of any identified weaknesses or deficiencies.

FedRAMP Ready: Indicates that a CSP has a high likelihood of achieving FedRAMP Authorization. It is an initial designation based on a readiness assessment by an accredited 3PAO. This status shows that the CSP’s documentation and security controls are prepared for the full security assessment.

In Process: Signifies that a CSP is actively working towards achieving FedRAMP Authorization, either through the JAB or an agency sponsor.

Authorized: Means that a CSP has successfully met all FedRAMP requirements and has been granted an Authority to Operate (ATO) by the JAB or an authorizing federal agency. This status indicates that the CSP’s service offering has been thoroughly vetted and approved for use by federal agencies.

Common challenges in achieving FedRAMP compliance include:

Complex documentation: Preparing detailed and comprehensive documentation can be time-consuming and challenging.
Stringent security controls: Implementing the required security controls and demonstrating their effectiveness can be difficult, especially for smaller organizations.
Resource intensive: The process requires significant time, effort, and financial resources.
Continuous monitoring: Maintaining ongoing compliance through continuous monitoring and regular assessments can be demanding.

Several resources are available to assist with FedRAMP certification:

The FedRAMP website, which provides detailed guidance, templates, and documentation.
Accredited 3PAOs which offer independent assessment services and guidance on meeting FedRAMP requirements.
Consulting firms which specialize in helping organizations navigate the FedRAMP certification process.
Training programs which provide education on FedRAMP requirements and best practices.
A GRC tool which streamlines the FedRAMP certification process by automating compliance workflows, centralizing documentation, and providing real-time monitoring and reporting capabilities.

Learn how Hyperproof can make the FedRAMP certification process easier

Yes, a company can lose its FedRAMP certification if it fails to maintain compliance with FedRAMP requirements. This can occur due to deficiencies identified during continuous monitoring or annual assessments, failure to address security incidents promptly, or significant changes in the system that are not adequately documented or managed.

FedRAMP maps to the following frameworks:

Hyperproof for FedRAMP Compliance

Hyperproof’s compliance operations software solution helps organizations understand FedRAMP requirements, document controls for their business, streamline and automate the evidence management process, generate SSP reports, and monitor their security controls to ensure ongoing effectiveness. Plus, it comes with templates for FedRAMP High, Moderate and Low Impact levels requirements to help you hit the ground running. Learn more about simplifying your journey to FedRAMP compliance with Hyperproof.

Smiling man with glasses standing behind a shield that says FR, meaning FedRAMP

A pre-built template to help you implement controls quickly and correctly

The ability to jumpstart the FedRAMP process by reusing controls from another security compliance framework

Automated and efficient evidence collection tools to document your efforts and gauge readiness towards FedRAMP compliance

Automatically generate SSP reports for FedRAMP compliance

Frictionless collaboration between compliance teams, internal stakeholders, and a 3rd-party their auditor

Assign Control assignments to program participants so you can keep team members on track

Dashboards to gauge progress, monitor controls, and view assessment preparedness posture

Hyperproof also partners with professional service firms with proven track records and deep expertise in helping organizations get FedRAMP assessment-ready. Our partners help customers design their information security compliance programs, build them out, and conduct readiness assessments to ensure there are no surprises when the audit occurs. If you need a referral, we’d love to talk.

Drafting Compliance: Follow us on our FedRAMP journey

Hyperproof will be FedRAMP Moderate in 2025. Subscribe to our YouTube series, Drafting Compliance, where we rate beers and talk about how we’re becoming FedRAMP compliant.