FedRAMP Security Assessment
The FedRAMP security assessment process defines a set of controls for low and moderate impact level systems based on NIST SP 800-53 controls. The process aligns with what Federal agencies do now when assessing and authorizing cloud systems. FedRAMP uses the same documents and deliverables that NIST requires agencies to use in the SP 800-37 framework.
Cloud service providers must implement these controls and have a third party assessment organization (3PAO) perform an independent assessment of the implementation of these controls. Once a security assessment has been completed, an authorization can be granted by a Federal agency, or if completed through the FedRAMP PMO, a provisional authorization by the Joint Authorization Board (JAB).
Below are the key steps in the security assessment process.
| Step | Description |
|---|---|
| Initiating a Request. | Agencies and CSPs can both apply to FedRAMP to initiate an assessment of a cloud service.oun |
| Once the CSP has implemented the required security controls, the next process is to document the security control implementations in a System Security Plan (SSP). | |
| Performing Security Testing. | Once the SSP has been approved, the CSP contracts with an accredited FedRAMP Third Party Assessment Organization for them to independently test the CSP’s system to determine the effectiveness of the security control implementation. |
| Finalizing the Security Assessment. | JAB reviews the security assessment package and makes final risk-based decision on whether or not to grant a Provisional Authorization. |
