Federal Risk and Authorization Management Program (FedRAMP)
Provides a federally-recognized standardized security framework for all cloud products and services
CMS Slack Channel- #fedramp
What is FedRAMP?
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide initiative that was established in 2011 to provide a cost-effective, risk-based approach for the adoption and use of cloud services by the federal government. FedRAMP offers a standardized approach to security assessments, security authorization, and continuous monitoring for cloud products and services. It is designed to:
- Reduce duplicative efforts, inconsistencies, and cost inefficiencies.
- Establish public-private partnerships that promote innovation and security.
- Enable the federal government to accelerate the adoption of cloud computing.
- Create transparent standards and processes for security authorizations
- Allow agencies to leverage security authorizations on a government-wide scale.
Who supports FedRAMP at CMS?
The CMS FedRAMP Program Management Office (PMO) is made up of members of the Information Security and Privacy Group (ISPG). The team works on the procedures to obtain FedRAMP authorization and perform continuous monitoring for cloud services.
FedRAMP versus FISMA
There may be some confusion about the difference between the FedRAMP program and the Federal Information Security Modernization Act (FISMA). While these two federal policies have a lot in common, there are important differences that users need to be aware of.
The Federal Information Security Modernization Act (FISMA) was enacted in 2002 as an effort to modernize all federal government information systems. When thinking about FISMA and FedRAMP, it’s important to remember that FISMA guidance applies to all technologies and systems while FedRAMP deals exclusively with cloud service offerings. Other differences include:
- While both FedRAMP and FISMA follow NIST security guidance from 800-53, FedRAMP has additional, cloud-specific controls.
- The FISMA boundary encompasses the full system, which can include 1 or more cloud service offerings; the FedRAMP boundary is exclusively for the cloud service offering and may include the full stack (infrastructure, platform and software) or just parts.
- FedRAMP requires a Third Party Assessment Organization (3PAO), certified through GSA FedRAMP Program Management Office (PMO), to provide initial and periodic assessments of cloud systems based on federal security requirements; FISMA does not.
- FedRAMP authorization can be leveraged by multiple agencies, while FISMA authorization is agency specific.
How does FedRAMP Authorization work?
How to obtain a FedRAMP Authorization
There are two ways a cloud service can obtain a FedRAMP authorization:
1. Joint Advisory Board (JAB) Provisional ATO (P-ATO)
The Joint Advisory Board (JAB) is the primary governing body for FedRAMP and includes the Department of Defense (DoD), Department of Homeland Security (DHS), and General Services Administration (GSA). The JAB selects approximately 12 cloud products per year and works with them to secure a JAB Provisional Authority to Operate (P-ATO).
A P-ATO means that the JAB has reviewed the cloud service’s authorization package and provided a provisional approval for federal agencies to leverage when granting an ATO for a cloud system. There are no collaborative continuous monitoring efforts within this model; the JAB review team independently manages this process.
2. Agency ATO
Any federal agency can work with a cloud services provider to provide an ATO for the cloud service and submit the package to the FedRAMP Program Management Office (PMO) for authorization. Agency Authorization also provides the additional benefit of collaborative continuous monitoring efforts. To get involved in any of these meetings for systems not sponsored by CMS, the ISSO should email the vendor's compliance team which is available at marketplace.fedramp.gov (Click on the vendor. Contact info is to the left).
FedRAMP Authorization levels
FedRAMP follows the Federal Information Process Stands (FIPS) 199 for the categorization of the baseline requirements as:
This FedRAMP baseline was developed to authorize low impact industry solutions that do not contain any sensitive personally identifiable information (PII), including Low-Impact Software as a Service (Li-SaaS).
The moderate level is for cloud service offerings where the loss of confidentiality, integrity, and availability would result in serious adverse effects on an agency’s operations, assets, or individuals. Serious adverse effects at the moderate level could include significant operational damage to agency assets, financial loss, or individual harm that is not loss of life or physical.
The high level is typically reserved for law enforcement and emergency services systems, financial systems, health systems, and any other system where loss of confidentiality, integrity, or availability could have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. The high level holds the government’s most sensitive, unclassified data in cloud computing environments, including data that involves the protection of life and financial ruin.
Is FedRAMP Authorization required?
Yes, according to an OMB Memorandum, any cloud service that holds federal data must be FedRAMP authorized. Existing FedRAMP authorized cloud services can be viewed in the FedRAMP Marketplace.
There are exceptions to the authorization requirements above. If a cloud service offering meets all of the following criteria, it can be implemented by CMS without a FedRAMP Authorization:
- The offering has a private cloud deployment model (i.e., the cloud environment is operated solely for the use at CMS).
- The offering is privately implemented within a managed CMS general services system (i.e., within CMS Cloud).
- The offering does not provide cloud services from the cloud-based information system to any external entities (including bureaus, components, or subordinate organizations within their agencies).
In the event that your chosen cloud service offering does not require a FedRAMP Authorization, you should continue to comply with the current FISMA requirements and the appropriate NIST security standards and guidelines for your private cloud-based information system.
FedRAMP Authorization best practices
There are some important steps you can take to make sure your FedRAMP Authorization efforts are successful:
Making an effort to reach out to others who can help you determine the appropriate next steps for FedRAMP Authorization will make the process easier and help you avoid delays.
- Contact the CMS Cloud team to see if their solution meets your needs.
- Contact the CMS FedRAMP PMO if you're thinking of using a different cloud service.
- Contact the Technical Review Board to discuss the necessary steps to ensure the proper architecture and security to protect government data.
CMS stakeholders and CSPs interested in using a cloud offering or provider that does not have a FedRAMP authorization should engage the CMS FedRAMP PMO early and often. A list of approved cloud service offerings and providers can be found here on this page, or on the FedRAMP Marketplace.
CSPs should clearly communicate how a cloud service impacts federal information and provide CMS stakeholders insight into a system’s architecture.
Business Owners and CSPs have a responsibility to perform continuous monitoring and maintain a system’s security posture, requiring mature security processes. The CMS FedRAMP PMO can support stakeholders in this process and answer questions.
CSPs should describe how they manage and support security and what protections they have in place to achieve a level of security sufficient for CMS systems. In addition to the FedRAMP baseline, the CSP will also have to meet CMS baseline security requirements to receive an Authority to Operate (ATO).
Choosing a cloud service provider or offering
When selecting a cloud service offering or provider, you can either use a service that has been FedRAMP authorized, or you can choose to sponsor the initial authorization with a CMS Agency Authorization for a cloud service offering.
Sponsoring a new cloud service provider or offering
Sponsoring a cloud service will require a CMS Authorization to Operate (ATO), which will take time. Additionally, a new cloud service provider will need to navigate through the FedRAMP Authorization process. This will add more time to production and will require monthly continuous monitoring responsibilities.
There are a number of important requirements you must meet if you’re interested in sponsoring a cloud service offering for FedRAMP Authorization at CMS:
- The CSP is recommended to use Open Security Controls Assessment Language (OSCAL) for documentation.
- It is recommended that the CSP has an independent FedRAMP Readiness Assessment already in place.
- The Business Owner and ISSO must commit to the management of the authorization and continuous monitoring process.
- CMS Cloud can provide the underlying infrastructure and platform needed to host the application.
CMS Rapid Cloud Review (RCR)
CMS has developed a RCR process to provide an initial security review of the cloud service. This is done by the CMS Software as a Service Governance (SaaSG) team. The cloud service should be assessed through the RCR process.
FedRAMP Readiness Assessment
We highly recommend a FedRAMP Readiness Assessment from an accredited Third-Party Assessment Organization (3PAO) to evaluate your readiness for FedRAMP.
Fully built environment
The cloud service environment must be fully built out and ready before the agency will commit to sponsoring the cloud service.
FedRAMP Security Controls Compliance
Your cloud services must comply with all security controls as outlined in the FedRAMP Security Assessment Framework (SAF), which includes controls from the National Institute of Standards and Technology (NIST)Special Publication (SP) 800-53 Revision 5.
CMS Security Controls Compliance
In addition to FedRAMP security requirements, the cloud service must also meet the requirements of the CMS Acceptable Risks and Safeguards (ARS) implementation of the NIST SP800-53 Rev. 5 controls.
Identify Subject Matter Experts
Identify subject matter experts on your cloud team that will support the creation of FedRAMP documentation and liaison with the agency through the authorization process.
Documentation
We would require all documentation necessary to support the security controls, such as a System Security and Privacy Plan (SSPP). Developing the SSPP in the Open Security Controls Assessment Language (OSCAL) is recommended.
Commitment of the CMS Business Owner
The authorization process takes months to complete, so it is essential that the business owner is committed to using the product for the duration of the FedRAMP authorization process.
Choosing an existing FedRAMP provider
The FedRAMP Marketplace is the repository of cloud service providers (CSPs) and cloud service offerings (CSOs) that are:
FedRAMP Authorized - CSO is authorized for FedRAMP
FedRAMP Ready - CSP is not yet authorized for FedRAMP, but the CSP have completed their FedRAMP Readiness Assessment Report (RAR) and is ready to partner with an Agency (such as CMS)
FedRAMP In Process - CSO is being reviewed for an Authority to Operate (ATO) by an Agency or the FedRAMP Joint Authorization Board (JAB)
"FedRAMP Ready" status for new CSPs that are not FedRAMP Authorized is highly recommended. This status indicates that a 3PAO has reviewed documentation from the CSP and provided a readiness report. This can be requested for review as part of evaluating the selection of a CSO.
FedRAMP Package Request process
The FedRAMP Package provides security posture details for a cloud service that has been FedRAMP Authorized. You may want to request a FedRAMP package if you are using, considering, and/or assessing a cloud service offering. Initial access to the package lasts for 60 days. Permanent access can be granted if the agency has an ATO letter on file with the FedRAMP Program Management Office (PMO). According to the FedRAMP Authorization Act, all systems that directly leverage a FedRAMP-authorized cloud service must include this in an ATO and notify the CMS FedRAMP PMO (fedramp@cms.hhs.gov) of the authorization and changes to the authorization, including renewals and revokation.
Note: Creating a request for a FedRAMP Package requires a Max.gov account. Follow the steps below:
Start package request form
Use the FedRAMP Package Request Access form on the FedRAMP website. This is a digital form that you can complete and sign from your computer. Start by filling out "User Information" at the top.
Add details about the package
For filling out the “Requested Package” section, you can find details about the package on the FedRAMP Marketplace. This will include:
- Name of Package (Cloud Service Name)
- Package ID (FedRAMP Package ID)
SKIP "Access Authorization"
This part is completed by HHS. Leave it blank and move on to the next section.
Agree and sign
In the next section - “Agreement for Package Review” - initial every line and then digitally sign the document using your CMS PIV.
SKIP "Agreement for FedRAMP Approver"
This part is completed by HHS. Leave it blank and move on to the next section.
Contractors complete Attachment A
If you’re a federal contractor, you must complete “Attachment A: Federal Contractor Non-Disclosure Agreement for FedRAMP”. Fill in your name in the first paragraph, read the agreement carefully, then digitally sign at the bottom using your CMS PIV (and date). If you’re not a federal contractor, you can skip this part.
Create Max.gov account
You’re done with the package request form. Now you must create an account at Max.gov if you don’t already have one – this is where the packages are stored. Once you have an account, move on to the last step.
Submit request via ServiceNow
Open a CMS ServiceNow request ticket using the FedRAMP ServiceNow Request. Add the details of the package you are requesting, and attach the package request form that you filled out and digitally signed.
Once you’ve completed the steps above, the package request will be sent through the approval process with the department and with the FedRAMP PMO. You will receive confirmation once your access is granted. Please allow a couple of weeks for approval time.
Products
See all approved FedRAMP Products
The FedRAMP Marketplace provides a searchable and sortable database of Cloud Service Offerings (CSOs) that have achieved a FedRAMP designation, a list of federal agencies using FedRAMP Authorized CSOs, and FedRAMP recognized auditors (3PAOs) that can perform a FedRAMP assessment.
CMS Sponsored Initial Authorization FedRAMP Products
| Cloud Service Provider | Cloud Service Offering | FedRAMP ID | Type | Service Model |
| Databricks | Databricks on AWS East/West | FR1834740315 | Agency* | PaaS, SaaS |
| Saviynt, Inc. | Enterprise Identity Cloud (EIC) | FR1821062403 | Agency* | SaaS |
| Snowflake Inc. | The DataCloud on AWS US East/West | FR1809360201 | Agency* | SaaS |
| Snowflake Inc. | The DataCloud on Azure Government | FR1809360202 | Agency* | SaaS |
| LauchDarkly | LauchDarkly | FR2120962552 | Agency* | SaaS |
| Nucleus | Nucleus for Government | FR2134455708 | Agency* | SaaS |
CMS Sponsored Products -- In Process
| Cloud Service Provider (CSP) | Cloud Service Offering (CSO) | FIPS-199 Security Categorization | Cloud Service Model | CMS Agency Authorization | FedRAMP Marketplace Status | FedRAMP Marketplace ID |
| Snyk | Snyk for Government | Moderate | SaaS | Agency Review | "In-Process" | FR2230451369 |
| Axonius | Axonius Platform | Moderate | SaaS | Agency Review | "In-Process" | FR2401047002 |
Related documents and resources
Platform-As-A-Service with tools, security, and support services designed specifically for CMS
Testing and documenting system security and compliance to gain approval to operate the system at CMS
Executive Order that requires the continuous verification of system users to promote system security
Considerations and guidelines for CMS business units wanting to use SaaS applications