What is FedRAMP?
Federal Risk and Authorization Management Program is a program that standardizes how the US federal government assesses, authorizes, and monitors cloud services.
Who should be FedRAMP compliant?
FedRAMP is required for any organization providing a cloud-based service to the US federal government.
There are four FedRAMP baselines (complexity levels) - the determination of which level an org needs to do is by discussion with the US federal government:
Li-SaaS (does not store PII- personally identifiable information): 156 controls
Low: 156 controls
Moderate: 323 controls
High: 410 controls
FedRAMP Core Requirements
Sponsorship: US federal agency or FedRAMP Board agrees to “back” an organization through the process
Documentation: Many unique policies & procedures, a system security plan (SSP), and other FedRAMP-specific documentation
Controls: Selection and implementation of your FedRAMP baseline (Li-SaaS, Low, Moderate, High)
Assessments:
Readiness Assessment Report (RAR): Pre-assessment review of the organization’s security capabilities
Security Assessment Report (SAR): Full security assessment that evaluates the in-place controls of the organization and system/service
FedRAMP Status
FedRAMP status refers to the level of compliance an organization or cloud service provider (CSP) has achieved within the FedRAMP.
Ready: The FedRAMP assessor attests to the organization’s security capability and accepts the RAR
In-Process: The organization is actively working towards authorization
Authorized: The organization has successfully completed the SAR and maintains a FedRAMP Authorization
Does FedRAMP require a formal audit?
Yes. Third-Party Assessment Organization Only (3PAO)
How can Vanta support FedRAMP?
Vanta assists customers with readiness:
Implementation guidance
FedRAMP policies and procedure
Vanta recommends working with a FedRAMP third-party consultant for full readiness support and implementation. If you have questions, please contact Vanta's customer success team.