FedRAMP Guidelines
Federal Risk and Authorization Management Program compliance for cloud services
FedRAMP (Federal Risk and Authorization Management Program) provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies.
FedRAMP Overview
Impact Levels
| Level | Data Sensitivity | Examples | Controls |
|---|---|---|---|
| Low | Limited adverse effect | Public websites | 125 controls |
| Moderate | Serious adverse effect | PII, business sensitive | 325 controls |
| High | Severe/catastrophic effect | Law enforcement, healthcare | 421 controls |
Authorization Paths
┌─────────────────────────────────────────────────────────────────────────────┐
│ FEDRAMP AUTHORIZATION PATHS │
└─────────────────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────┐ ┌─────────────────────────────────┐
│ JAB Authorization │ │ Agency Authorization │
│ │ │ │
│ Joint Authorization Board │ │ Single agency sponsor │
│ Provisional ATO (P-ATO) │ │ Agency-specific ATO │
│ Reusable across agencies │ │ Can leverage for other agencies│
│ Higher rigor, longer timeline │ │ Faster, agency-specific │
└─────────────────────────────────┘ └─────────────────────────────────┘Security Control Families
NIST 800-53 Control Families
| Family | ID | Description |
|---|---|---|
| Access Control | AC | Who can access what |
| Awareness and Training | AT | Security training |
| Audit and Accountability | AU | Logging and monitoring |
| Security Assessment | CA | Control assessment |
| Configuration Management | CM | Secure configurations |
| Contingency Planning | CP | Business continuity |
| Identification and Authentication | IA | Identity verification |
| Incident Response | IR | Security incident handling |
| Maintenance | MA | System maintenance |
| Media Protection | MP | Media handling |
| Physical and Environmental | PE | Physical security |
| Planning | PL | Security planning |
| Program Management | PM | Security program |
| Personnel Security | PS | Personnel screening |
| Risk Assessment | RA | Risk identification |
| System and Services Acquisition | SA | Secure development |
| System and Communications Protection | SC | Data protection |
| System and Information Integrity | SI | System integrity |
Key Control Requirements
Access Control (AC)
# AC-2: Account Management
controls:
account_management:
- Identify account types (individual, group, system, service)
- Establish conditions for membership
- Assign account managers
- Authorize account creation
- Create, enable, modify, disable, and remove accounts
- Monitor account usage
- Review accounts periodically
# Implementation example
account_policy:
types:
- name: individual
requires_approval: true
approver: manager
review_frequency: 90_days
- name: service_account
requires_approval: true
approver: security_team
review_frequency: 30_days
password_rotation: 90_days
- name: emergency_access
requires_approval: true
approver: ciso
max_duration: 24_hours
audit_required: trueAudit and Accountability (AU)
# AU-2: Audit Events
audit_events:
- account_logon_events
- account_management
- directory_service_access
- logon_events
- object_access
- policy_change
- privilege_use
- process_tracking
- system_events
# AU-6: Audit Review, Analysis, and Reporting
audit_review:
frequency: weekly
automated_analysis: true
alerts:
- suspicious_login_attempts
- privilege_escalation
- unauthorized_access_attempts
- system_configuration_changes
reporting:
- weekly_summary
- monthly_trending
- quarterly_executive_reportConfiguration Management (CM)
# CM-2: Baseline Configuration
baseline_configuration:
documentation:
- hardware_inventory
- software_inventory
- network_topology
- security_settings
update_frequency: annually
change_control_required: true
# CM-6: Configuration Settings
security_configurations:
operating_systems:
- CIS Benchmarks
- DISA STIGs
containers:
- CIS Docker Benchmark
- Kubernetes Security Best Practices
cloud:
- CIS AWS Foundations
- CIS Azure FoundationsIncident Response (IR)
# IR-4: Incident Handling
incident_handling:
phases:
- preparation
- detection_and_analysis
- containment
- eradication
- recovery
- post_incident_activity
severity_levels:
critical:
response_time: 15_minutes
notification: security_team, management, fedramp_pmo
high:
response_time: 1_hour
notification: security_team, management
medium:
response_time: 4_hours
notification: security_team
low:
response_time: 24_hours
notification: security_team
reporting:
us_cert: within_1_hour_for_incidents
fedramp_pmo: significant_incidentsContinuous Monitoring
ConMon Requirements
| Activity | Frequency | Output |
|---|---|---|
| Vulnerability scanning | Monthly | Scan reports |
| Configuration scanning | Monthly | Compliance reports |
| POA&M updates | Monthly | Updated POA&M |
| Security assessment | Annual | Assessment report |
| Incident reporting | As needed | Incident reports |
POA&M Management
┌─────────────────────────────────────────────────────────────────────────────┐
│ PLAN OF ACTION AND MILESTONES (POA&M) │
├─────────────────────────────────────────────────────────────────────────────┤
│ ID │ Control │ Weakness │ Risk │ Due Date │ Status │
├────────┼─────────┼───────────────────────┼──────┼────────────┼─────────────┤
│ POA-001│ AC-2 │ No automated account │ Med │ 2024-03-01 │ In Progress │
│ │ │ review process │ │ │ │
├────────┼─────────┼───────────────────────┼──────┼────────────┼─────────────┤
│ POA-002│ AU-6 │ Incomplete log │ High │ 2024-02-15 │ In Progress │
│ │ │ retention │ │ │ │
├────────┼─────────┼───────────────────────┼──────┼────────────┼─────────────┤
│ POA-003│ CM-6 │ Missing CIS benchmark │ Low │ 2024-04-01 │ Planned │
│ │ │ for new servers │ │ │ │
└─────────────────────────────────────────────────────────────────────────────┘Documentation Requirements
System Security Plan (SSP)
The SSP must document:
| Section | Content |
|---|---|
| System Information | Name, description, authorization boundary |
| System Environment | Architecture, network, data flow |
| System Interconnections | External systems, APIs |
| Security Controls | Implementation for each control |
| Personnel | Roles and responsibilities |
| Contingency Plan | Business continuity procedures |
Security Assessment Report (SAR)
| Section | Content |
|---|---|
| Executive Summary | Overall security posture |
| Scope | Systems and controls assessed |
| Methodology | Assessment approach |
| Findings | Identified vulnerabilities |
| Recommendations | Remediation guidance |
| Risk Rating | Overall risk assessment |
Implementation Checklist
Preparation Phase
- Determine impact level (Low/Moderate/High)
- Select authorization path (JAB/Agency)
- Identify FedRAMP PMO liaison
- Engage 3PAO (Third Party Assessment Organization)
Documentation Phase
- Complete System Security Plan (SSP)
- Document all control implementations
- Create network diagrams
- Document data flows
- Prepare security policies
Assessment Phase
- Complete security control assessment
- Conduct penetration testing
- Perform vulnerability scanning
- Complete Security Assessment Report (SAR)
- Develop POA&M for findings
Authorization Phase
- Submit authorization package
- Address PMO feedback
- Obtain authorization decision
- Achieve ATO or P-ATO
Continuous Monitoring Phase
- Implement ConMon procedures
- Conduct monthly vulnerability scans
- Submit monthly ConMon reports
- Update POA&M monthly
- Conduct annual assessments
Best Practices
Do
- Start documentation early
- Automate security controls where possible
- Maintain accurate system inventory
- Train personnel on FedRAMP requirements
- Engage experienced 3PAO
- Build continuous monitoring into operations
Don't
- Underestimate documentation effort
- Wait until assessment to implement controls
- Ignore POA&M timelines
- Miss monthly ConMon submissions
- Assume cloud provider handles all controls
- Skip security awareness training
Related Resources
Compliance
This section fulfills ISO 13485 requirements for regulatory requirements (4.1.1) and documentation control (4.2.4), and ISO 27001 requirements for information security policies (A.5.1), access control (A.5.15), incident management (A.5.24), and compliance with legal requirements (A.5.31).
How is this guide?
Last updated on