The U.S. Federal Government established the Federal Risk and Authorization Management Program (FedRAMP), a government-wide program that provides a standardized approach to security and risk assessment, authorization, and continuous monitoring for cloud products and services. All federal agency cloud deployments and service models, other than certain on-premises private clouds, must meet FedRAMP requirements at the appropriate impact level (Low, Moderate, or High).
There are two approaches to obtaining a FedRAMP Authorization, a provisional authorization through the Joint Authorization Board (JAB) or an authorization through an agency. In the Agency Authorization path, agencies may work directly with a Cloud Service Provider (CSP) for authorization at any time. CSPs that make a business decision to work directly with an agency to pursue an Authority to Operate (ATO) will work with the agency throughout the FedRAMP Authorization process.
Both approaches require an assessment by an independent third-party assessment organization (3PAO) that is accredited by the program, as well as a stringent technical review by the FedRAMP Program Management Office (PMO).
FedRAMP is based on the National Institute of Standards and Technology (NIST) SP 800-53 Rev. 4 standard, augmented by FedRAMP specific controls and control enhancements. FedRAMP authorizations are granted at three impact levels (Low, Moderate, and High) based on NIST FIPS 199 security categorization. These levels rank the impact that the loss of confidentiality, integrity, or availability could have on an organization - Low (limited adverse effect), Moderate (serious adverse effect), and High (severe or catastrophic adverse effect).