What is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide initiative that was established in 2011 to provide a cost-effective, risk-based approach for the adoption and use of cloud services by the federal government. FedRAMP offers a standardized approach to security assessments, security authorization, and continuous monitoring for cloud products and services. It is designed to:

• Reduce duplicative efforts, inconsistencies, and cost inefficiencies.
• Establish public-private partnerships that promote innovation and security.
• Enable the federal government to accelerate the adoption of cloud computing.
• Create transparent standards and processes for security authorizations.
• Allow agencies to leverage security authorizations on a government-wide scale.

Who supports FedRAMP at CMS?

The CMS FedRAMP Program Management Office (PMO) is made up of members of the Information Security and Privacy Group (ISPG). The team works on the procedures to obtain FedRAMP authorization and perform continuous monitoring for cloud services.

FedRAMP versus FISMA

There may be some confusion about the difference between the FedRAMP program and the Federal Information Security Modernization Act (FISMA). While these two federal policies have a lot in common, there are important differences that users need to be aware of.

The Federal Information Security Modernization Act (FISMA) was enacted in 2002 as an effort to modernize all federal government information systems. When thinking about FISMA and FedRAMP, it’s important to remember that FISMA guidance applies to all technologies and systems while FedRAMP deals exclusively with cloud service offerings. Other differences include:

• While both FedRAMP and FISMA follow NIST security guidance from 800-53, FedRAMP has additional, cloud-specific controls.
• The FISMA boundary encompasses the full system, which can include 1 or more cloud service offerings; the FedRAMP boundary is exclusively for the cloud service offering and may include the full stack (infrastructure, platform and software) or just parts.
• FedRAMP requires a Third Party Assessment Organization (3PAO), certified through GSA FedRAMP Program Management Office (PMO), to provide initial and periodic assessments of cloud systems based on federal security requirements; FISMA does not.
• FedRAMP authorization can be leveraged by multiple agencies, while FISMA authorization is agency specific.

How to obtain a FedRAMP Authorization

The primary way in which a cloud service can obtain a FedRAMP authorization is through an Agency authorization:

Presumption of Adequacy 

FedRAMP is designed to streamline the process for both agencies and cloud providers by creating consistency in the Federal Government's requirements for cloud services. When a CSP has a FedRAMP authorization at a specific FIPS 199 impact level, agencies are required to assume that the security assessment in the authorization package is sufficient for granting their own authorization to operate at that same or lower impact level. This assumption holds as long as the FedRAMP authorization remains active and meets the continuous monitoring requirement. 

For this system to be effective, FedRAMP needs to ensure its authorization process works for all types of cloud products and services, as well as for the specific needs of different agencies. Multiple agencies are able to rely on the same FedRAMP authorization. It is still the CSP System Owner’s (SO)s responsibility to review and assess the security controls utilized by the CSP’s FedRAMP ATO. The SO must ensure the FedRAMP assessment meets CMS level of risk.  There must also be an understanding of which controls belong to the SO, the CSP or shared by both. The responsibilities and implementation status for all controls can be found in the Customer Responsibility Matrix (CRM) and Control Implementation Summary (CIS) within the CSP’s FedRAMP Security package. The SO must also document and assess all controls that are the full or shared responsibility of CMS. Presumption of Adequacy does not override or conflict with the CIO’s responsibilities under the Federal Information Security Modernization Act (FISMA) to assess their security needs. If an agency determines it has a "demonstrable need" for additional security measures beyond what is provided in the FedRAMP authorization, or if it finds the existing package is "substantially deficient" for its purposes, the agency can choose to override the presumption and make its own security determination. If after additional work a new authorization is issued, the agency that did the work must explain in the authorization package why it found the previous FedRAMP package insufficient. The agency must also notify the FedRAMP PMO about the deficiency. The FedRAMP Director is responsible for deciding whether the agency’s additional security needs require further FedRAMP authorization work, and whether additional FedRAMP resources should be used to update the package. 

Agency ATO

Any federal agency can work with a cloud services provider to provide an ATO for the cloud service and submit the package to the FedRAMP Program Management Office (PMO) for authorization. Agency Authorization also provides the additional benefit of collaborative continuous monitoring efforts. To get involved in any of these meetings for systems not sponsored by CMS, the ISSO should email the vendor's compliance team which is available at marketplace.fedramp.gov (Click on the vendor. Contact info is to the left).

Multiple agencies can work together to issue joint authorizations, allowing them to share resources and agree on an acceptable level of risk for using a cloud product or service. The FedRAMP Board will identify IT leaders from federal agencies to form groups that will help increase the authorization capacity across the federal system. Cloud Service Offerings (CSOs) that are widely used across multiple agencies are strong candidates for joint authorizations, especially when managing risks related to availability and security that one agency alone might not fully address. For joint authorizations, the involved agencies must ensure clear communication and follow the presumption of adequacy. 

FedRAMP Authorization levels

FedRAMP follows the Federal Information Process Stands (FIPS) 199 for the categorization of the baseline requirements as:

Low

This FedRAMP baseline was developed to authorize low impact industry solutions that do not contain any sensitive personally identifiable information (PII), including Low-Impact Software as a Service (Li-SaaS).

Moderate

The moderate level is for cloud service offerings where the loss of confidentiality, integrity, and availability would result in serious adverse effects on an agency’s operations, assets, or individuals. Serious adverse effects at the moderate level could include significant operational damage to agency assets, financial loss, or individual harm that is not loss of life or physical.

High

The high level is typically reserved for law enforcement and emergency services systems, financial systems, health systems, and any other system where loss of confidentiality, integrity, or availability could have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. The high level holds the government’s most sensitive, unclassified data in cloud computing environments, including data that involves the protection of life and financial ruin.

Program ATO 

Program authorizations, signed by the FedRAMP Director, show that FedRAMP has reviewed a cloud service's security and confirmed it meets FedRAMP standards, making it suitable for use by other agencies. 

These authorizations are meant to help agencies use cloud products or services that don’t have a specific agency sponsor but are expected to be used by multiple federal agencies once authorized. They can also be used for cloud services that have become widely adopted since their initial FedRAMP authorization, ensuring consistent oversight and risk management across agencies. 

Any Other Path to ATO 

Any other authorization paths created by the FedRAMP PMO, in consultation with OMB and NIST, and approved by the FedRAMP Board, are designed to support the goals of the FedRAMP program. These alternative pathways will still follow the strict standards set by FedRAMP. 

Is FedRAMP Authorization required?

Yes, according to an OMB Memorandum, any cloud service that holds federal data must be FedRAMP authorized. Existing FedRAMP authorized cloud services can be viewed in the FedRAMP Marketplace.

There are exceptions to the authorization requirements above. If a cloud service offering meets all of the following criteria, it can be implemented by CMS without a FedRAMP Authorization:

• The offering has a private cloud deployment model (i.e., the cloud environment is operated solely for the use at CMS).
• The offering is privately implemented within a managed CMS general services system (i.e., within CMS Cloud).
• The offering does not provide cloud services from the cloud-based information system to any external entities (including bureaus, components, or subordinate organizations within their agencies).

In the event that your chosen cloud service offering does not require a FedRAMP Authorization, you should continue to comply with the current FISMA requirements and the appropriate NIST security standards and guidelines for your private cloud-based information system.

FedRAMP Authorization best practices

There are some important steps you can take to make sure your FedRAMP Authorization efforts are successful:

Reach out to teams who can help

Making an effort to reach out to others who can help you determine the appropriate next steps for FedRAMP Authorization will make the process easier and help you avoid delays.

• Contact the CMS Cloud team to see if their solution meets your needs.
• Contact the CMS FedRAMP PMO if you're thinking of using a different cloud service.
• Contact the Technical Review Board to discuss the necessary steps to ensure the proper architecture and security to protect government data.

Continuous Monitoring 

FedRAMP continuous monitoring will review and verify the security of CSPs, including their complex setups and encryption methods, to ensure the cloud services are secure, reliable, and the data is protected. The FedRAMP Director will use technical experts from both the government and industry to support these assessments. The review process will include examining documentation as well as in-depth security assessments by an expert lead “red team”, during or after the authorization process.  

The FedRAMP PMO, working with the FedRAMP Board and CISA, is responsible for setting up a system to continuously monitor cloud services and products. This system must be approved by OMB and the Department of Homeland Security (DHS). The goal is to prioritize the agility of cloud service providers (CSPs) in development and deployment, supporting automation and the rapid development of security features in cloud products, while also promoting CMS practices. The process for overseeing changes to cloud services will shift from monitoring individual changes to focusing on the CSP’s overall change process. Once a CSP is authorized, FedRAMP will generally allow them to make changes at their own pace without needing advance approval for each update. Additionally, CISA will be provided with technical data to help assess risks and detect threats to agency systems. This system avoids separating cloud services into commercial and government instances, encouraging the use of the same infrastructure that CSPs offer to their commercial customers. It also ensures that CSPs have resilient incident response procedures in place to protect federal systems from potential attacks. This system will be regularly updated to address emerging threats, new policies, and regulations. 

The FedRAMP PMO can conduct a special review of existing FedRAMP authorizations, subject to approval by the FedRAMP Board, which sets an expedited deadline for completion. A working group of federal experts will be formed to assess the CSP's authorization and recommend necessary changes. The group will complete the review and submit a report with recommendations to the FedRAMP Director and Board. 

If significant vulnerabilities are discovered in a CSP's FedRAMP authorization, the FedRAMP PMO will inform the CSP and relevant agencies for remediation and set up escalation procedures if issues aren’t resolved promptly. Unresolved issues may be flagged in the FedRAMP Marketplace. The PMO will also develop procedures for responding to CISA's Binding Operational and Emergency Directives (BODs), working with CISA, OMB, and the FedRAMP Board. 

To strengthen the FedRAMP program, the PMO will leverage government-wide tools and collaborate with CISA to enhance monitoring and ensure the sharing of relevant data and tools for effective oversight. 

Automation and Artificial Intelligence (AI) 

FedRAMP aims to automate processes for efficiency and consistency, including security assessments and reviews, by using machine-readable data and APIs to streamline service delivery and improve security. GSA will establish methods for automating these processes and enable the reuse of existing authorizations. FedRAMP will explore using Artificial Intelligence (AI) in its assessments to enhance security outcomes and scalability. 

To support automation, the FedRAMP PMO will collaborate with OMB, NIST, and CISA to adopt interoperable standards, such as the Open Secure Control Assessment Language (OSCAL), for submitting security assessments and continuous monitoring data. FedRAMP will also identify processes that can be automated to improve efficiency and make artifacts more accessible to federal agencies. 

FedRAMP will maintain an inventory of cloud services and provide guidance to streamline the authorization process. It will accept widely-recognized external security certifications, where applicable, to avoid redundant assessments and speed up cloud adoption. FedRAMP will also allow agencies to use compensating controls or accept certain risks when there are gaps between federal and external frameworks, as long as these decisions align with FedRAMP’s guidance. Finally, any cloud service meeting continuous monitoring requirements will be deemed compliant with FedRAMP standards. 

Define the Authorization Boundary

Cloud Service Providers (CSPs) must have an authorization boundary diagram that depicts their scope of control over the system components, as well as interconnections to leveraged services external to the boundary. A well-defined boundary allows the stakeholders to understand data flows and how it's protected.

Engage the CMS FedRAMP PMO

CMS stakeholders and CSPs interested in using a cloud offering or provider that does not have a FedRAMP authorization should engage the CMS FedRAMP PMO early and often. A list of approved cloud service offerings and providers can be found here on this page, or on the FedRAMP Marketplace.

Provide transparency into security

CSPs should clearly communicate how a cloud service impacts federal information and provide CMS stakeholders insight into a system’s architecture.

Develop mature processes

Business Owners and CSPs have a responsibility to perform continuous monitoring and maintain a system’s security posture, requiring mature security processes. The CMS FedRAMP PMO can support stakeholders in this process and answer questions.

Describe how security requirements are met

CSPs should describe how they manage and support security and what protections they have in place to achieve a level of security sufficient for CMS systems. In addition to the FedRAMP baseline, the CSP will also have to meet CMS baseline security requirements to receive an Authority to Operate (ATO).

Supporting FedRAMP Marketplace 

The FedRAMP Marketplace helps agencies discover cloud services that are available for reuse. It lists cloud products and services that are either in the process of getting or have already completed FedRAMP authorization. The FedRAMP Board may also create special designations for cloud services that don't have a full authorization but have met certain security standards. These designations are meant to encourage the adoption of secure cloud services and show that FedRAMP and an agency have worked together on the service. 

To support the Marketplace, agencies might require FedRAMP authorization as a condition for awarding contracts, but only if there are enough vendors to ensure competition or if legal exceptions apply. 

The General Services Administration (GSA), working with the FedRAMP Board and the CIO Council, develops criteria to prioritize which products and services should receive FedRAMP authorization. These criteria focus on meeting agency needs, particularly for critical or emerging technologies that are not yet available to agencies. The goal is to support automation, shared platforms, and the reuse of cloud services. 

To help more cloud services get FedRAMP authorization quickly, FedRAMP will offer a temporary, time-limited authorization for new services that haven't yet completed full FedRAMP approval. This temporary authorization will allow federal agencies to pilot these services for up to twelve months, with the aim of moving toward full FedRAMP authorization. After twelve months, the temporary authorization will end unless the service is in the process of receiving full authorization. The FedRAMP PMO will provide additional guidance on pilots, including any notification requirements. 

Technical Advisory Group (TAG) 

OMB and General Services Administration (GSA) will create a Technical Advisory Group (TAG) to offer expert advice to FedRAMP. The TAG, made up of federal experts in areas like cloud technologies, cybersecurity, and risk management, will provide technical guidance on an as-needed basis. Unlike the FedRAMP Board or FSCAC, the TAG is not a governance body and only gives advice on pre-decisional matters. 

The TAG’s responsibilities include recommending best practices for continuous monitoring, advising on risk assessments and technical reviews of authorization packages, and offering guidance on other issues as requested by the FedRAMP Director or Board. The FedRAMP PMO will support the TAG’s operations.  

Choosing a cloud service provider or offering

When selecting a cloud service offering or provider, you can either use a service that has been FedRAMP authorized, or you can choose to sponsor the initial authorization with a CMS Agency Authorization for a cloud service offering.

Sponsoring a new cloud service provider or offering

The SO sponsoring the new CSP and HHS are responsible for performing the FedRAMP Security Assessment and Authorization (SA&A). This coordination is done through the HHS Cloud Security Team via FedRAMP PMO.  If HHS decides the CSP reaches the threshold then HHS will sponsor the CSP for a FedRAMP Assessment.  If it does not meet the threshold then HHS and the SO will discuss the best path forward for assessing and authorizing the CSP. If the CSP proves to vital to mission success and that outweighs the threshold HHS may pursue sponsorship for FedRAMP assessment. 

CSP assessments will use the FedRAMP templates and FedRAMP baselines. If the CSP system is categorized under Federal Information Processing Standards (FIPS) 199 as High, then it must utilize a FedRAMP accredited third-party assessment organization (3PAO). A moderate impact system must make a best effort to use a FedRAMP accredit 3PAO, while a low impact system may utilize a non-accredited independent assessor. 

To maintain the requirement of the CSP, the SO will provide two representatives to participate in a monthly FedRAMP Agency ATO Continuous Monitoring Meeting. This meeting will also provide feedback for the SO to help improve their risk-based decisions on their CSP’s services.  

Choosing an existing FedRAMP provider

The FedRAMP Marketplace is the repository of cloud service providers (CSPs) and cloud service offerings (CSOs) that are:

FedRAMP Authorized - CSO is authorized for FedRAMP

FedRAMP Ready - CSP is not yet authorized for FedRAMP, but the CSP have completed their FedRAMP Readiness Assessment Report (RAR) and is ready to partner with an Agency (such as CMS)

FedRAMP In Process - CSO is being reviewed for an Authority to Operate (ATO) by an Agency or Joint Agency

"FedRAMP Ready" status for new CSPs that are not FedRAMP Authorized is highly recommended. This status indicates that a 3PAO has reviewed documentation from the CSP and provided a readiness report. This can be requested for review as part of evaluating the selection of a CSO.

FedRAMP Package Request process

The FedRAMP Package provides security posture details for a cloud service that has been FedRAMP Authorized. You may want to request a FedRAMP package if you are using, considering, and/or assessing a cloud service offering. Initial access to the package lasts for 60 days. Permanent access can be granted if the agency has an ATO letter on file with the FedRAMP Program Management Office (PMO). According to the FedRAMP Authorization Act, all systems that directly leverage a FedRAMP-authorized cloud service must include this in an ATO and notify the CMS FedRAMP PMO (fedramp@cms.hhs.gov) of the authorization and changes to the authorization, including renewals and revocation.

Note: Creating a request for a FedRAMP Package requires a Max.gov account. Follow the steps below:

Products

CMS Sponsored Initial Authorization FedRAMP Products

CMS Sponsored Products -- In Process