What is FedRAMP?
- Federal Risk and Authorization Management Program is a program that standardizes how the US federal government assesses, authorizes, and monitors cloud services.
Who should be FedRAMP compliant?
- FedRAMP is required for any organization providing a cloud-based service to the US federal government.
There are four FedRAMP baselines (complexity levels) - the determination of which level an org needs to do is by discussion with the US federal government:
- Li-SaaS (does not store PII- personally identifiable information): 156 controls
- Low: 156 controls
- Moderate: 323 controls
- High: 410 controls
FedRAMP Core Requirements
- Sponsorship: US federal agency or FedRAMP Board agrees to “back” an organization through the process
- Documentation: Many unique policies & procedures, a system security plan (SSP), and other FedRAMP-specific documentation
- Controls: Selection and implementation of your FedRAMP baseline (Li-SaaS, Low, Moderate, High)
-
Assessments:
- Readiness Assessment Report (RAR): Pre-assessment review of the organization’s security capabilities
- Security Assessment Report (SAR): Full security assessment that evaluates the in-place controls of the organization and system/service
FedRAMP Status
FedRAMP status refers to the level of compliance an organization or cloud service provider (CSP) has achieved within the FedRAMP.
- Ready: The FedRAMP assessor attests to the organization’s security capability and accepts the RAR
- In-Process: The organization is actively working towards authorization
- Authorized: The organization has successfully completed the SAR and maintains a FedRAMP Authorization
Does FedRAMP require a formal audit?
- Yes. Third-Party Assessment Organization Only (3PAO)
How can Vanta support FedRAMP?
Vanta assists customers with readiness:
-
- Implementation guidance
- FedRAMP policies and procedure
Vanta recommends working with a FedRAMP third-party consultant for full readiness support and implementation. If you have questions, please contact Vanta's customer success team.
Updated