Federal Risk and Authorization Management Program (FedRAMP)

This blog provides a general overview of FedRAMP.

FedRAMP is a U.S. Government program that standardizes how the Federal Information Security Management Act of 2002 (FISMA) applies to cloud computing systems.

FedRAMP establishes a public-private partnership to promote innovation and the advancement of more secure information technologies. By using an agile and flexible framework, it enables Federal Government Agencies to accelerate the adoption of cloud computing. This is achieved by creating transparent standards and processes for the security authorizations and allowing agencies to re-use them on a wide-scale from agency to agency. To learn more, go to https://www.fedramp.gov

Key Stakeholders

FedRAMP is the result of a close collaboration with cybersecurity and cloud experts from GSA, NIST, DHS, DOD, NSA, OMB, and the Federal CIO Council and its working groups, to included the private industry. The key stakeholders are represented in the figure below:

FR-Stakeholders.png

Why FedRAMP?

If you wish to offer services to the U.S. Government, then you must undergo the FedRAMP process. This is the only way a U.S. Government Agency would consider doing business with a non-government organization. That is because all U.S. Government Agencies must abide by the Federal Information Security Management Act (FISMA), originally released in 2002 and updated multiple times since inception. It requires that U.S Government Agencies follow the guidance developed by the National Institute of Standards and Technology (NIST).

Underlying Process

FedRAMP is primarily based on NIST's Risk Management Framework with a sole emphasis on Tier 3 processes. It's slightly modified to incorporate additional controls not typically required from government agencies, yet limited compare to what government agencies are required to implement. Organizations undergoing the process without being sponsored by a U.S. Government agency should be aware that FedRAMP doesn't address all U.S. Government requirements and therefore, there will be additional requirements not fully addressed by FedRAMP based on the sectors being served by the agency leveraging the services.

How can CyberAdeptness help?

We have provided lead level assessment audits for the government since 2006. Unfortunately, we are still a small company and don't qualify to be a 3PAO FedRAMP organization because we do not have the ISO27001 Certification. That however, doesn't limit us from providing services that must be in place prior to undergoing a 3PAO assessment. This services include but are not limited to the following:

  • Enterprise Level Risk Management Assessment and Implementation
  • Security Engineering Guidance for Network, Application Development, & Cloud Computing
  • FedRAMP Security Documentation Development
  • FedRAMP Pre-Audit

In addition, is important to note that the services listed above are not limited to the government sector, as the process noted are also essential for any organization wishing to implement the NIST Cybersecurity Framework.

Interested on learning more? Contact US via our site form at https://www.cyberadeptness.com 

NOTE: Due to security concerns, we limit our web content to bare bones. Please note that you will receive a response within forty-eight (48) hours or less.

By Karen Baez | on Sunday, September 2 2018 21:01

Add a comment

HTML code is displayed as text and web addresses are automatically converted.

They posted on the same topic

Trackback URL : https://www.cyberadeptness.com/CA-BLG/index.php?trackback/26

This post's comments feed