Compliance Standards Library

FedRAMP

What is FedRAMP?

Who should be FedRAMP compliant? 

  • FedRAMP is required for any organization providing a cloud-based service to the US federal government.

There are four FedRAMP baselines (complexity levels) - the determination of which level an org needs to do is by discussion with the US federal government:

  • Li-SaaS (does not store PII- personally identifiable information): 156 controls
  • Low: 156 controls
  • Moderate: 323 controls
  • High: 410 controls

FedRAMP Core Requirements 

  • Sponsorship: US federal agency or FedRAMP Board agrees to “back” an organization through the process
  • Documentation: Many unique policies & procedures, a system security plan (SSP), and other FedRAMP-specific documentation
  • Controls: Selection and implementation of your FedRAMP baseline (Li-SaaS, Low, Moderate, High)
  • Assessments:
    • Readiness Assessment Report (RAR): Pre-assessment review of the organization’s security capabilities
    • Security Assessment Report (SAR): Full security assessment that evaluates the in-place controls of the organization and system/service

FedRAMP Status 

FedRAMP status refers to the level of compliance an organization or cloud service provider (CSP) has achieved within the FedRAMP. 

  • Ready: The FedRAMP assessor attests to the organization’s security capability and accepts the RAR
  • In-Process: The organization is actively working towards authorization
  • Authorized: The organization has successfully completed the SAR and maintains a FedRAMP Authorization

Does FedRAMP require a formal audit? 

  • Yes. Third-Party Assessment Organization Only (3PAO) 

How can Vanta support FedRAMP?

Vanta assists customers with readiness:

    • Implementation guidance
    • FedRAMP policies and procedure

Vanta recommends working with a FedRAMP third-party consultant for full readiness support and implementation. If you have questions, please contact Vanta's customer success team. 

Updated