FedRAMP is a government-wide, standardized approach to security assessments and ongoing assessments and authorizations (continuous monitoring). Under the Federal Information Security Management Act (FISMA), Federal agencies must authorize IT service at the agency level. Through OMB policy, Federal agencies must use FedRAMP when authorizing cloud services.
FedRAMP has three process areas that allow agencies to authorize cloud services for use:
SECURITY ASSESSMENT. The security assessment process uses a standardized set of requirements in accordance with FISMA using a baseline set of NIST 800-53 controls to grant security authorizations.
LEVERAGING AN AUTHORIZATION. Federal agencies can view security authorization packages in the FedRAMP repository and leverage the security authorization packages to grant a security authorization at their own agency.
ONGOING ASSESSMENT & AUTHORIZATION. Once an authorization is granted, ongoing assessment and authorization activities must be completed in order to maintain the security authorization.