FedRAMP was created out of the Federal Cloud Computing Initiative to remove the barriers to the adoption of the cloud.
• Cloud computing offers a unique opportunity for the federal government to take advantage of cutting edge information technologies to dramatically reduce procurement and operating costs and greatly increase the efficiency and effectiveness of services provided to its citizens.
• FedRAMP provides a cost-effective, risk-based approach for the adoption and use of cloud services. Established in December 2011, FedRAMP is the first government-wide security authorization program for FISMA which requires each Federal Agency to develop, document, and implement programmatic information security for systems that support the operations and assets of the agency. This also includes systems and services provided or managed by another agency, contractor, or other source. FedRAMP processes are designed to assist agencies in meeting FISMA requirements for cloud systems and addresses complexities of cloud systems that create unique challenges for complying with FISMA.
• FedRAMP provides executive department and agency responsibilities to develop, implement, operate, and maintain FedRAMP. FedRAMP focuses to ensure the security standards of Federal Information Security Management Act of 2002 (or FISMA) is applied and introduces efficiencies to the process for cloud systems (key of which is re-use)
FedRAMP standardizes the way the Government does security authorizations for cloud products and services in four essential ways:
1. Doing security authorizations once and re-using them may reduce or minimize duplication
2. Increasing collaboration and creation of a community across the U.S. Government and vendors that did not exist before – FIRST government-wide FISMA program
3. FedRAMP validating security authorizations to ensure that there is uniformity among security packages
4. Enabling a centralized repository where agencies can request access to security packages for expedient authorizations.
With FedRAMP, there is a uniform risk management approach with a standard set of approved minimum security controls (Low, Moderate, High Impact), a consistent assessment process, and a Provisional Authorization to Operate (P-ATO) or an Agency Authorization.