19. What is FedRAMP and do you offer information security policies and procedures for assistance with FedRAMP compliance?

FedRAMP, which stands for The Federal Risk and Authorization Management Program, is a United Stated governmental initiative and formal program providing a uniformed and standardized approach to security assessment, authorization, and ongoing monitoring of cloud products and related services. Ultimately, the goals of FedRAMP, according to the U.S. government, are to increase the adoption and confidence of secure cloud services and solutions, develop and implement baseline standards and assessment procedures, along with also pursuing continuous monitoring of cloud services.

FedRAMP is needed, according to the US. Government, because of the disjointed, and inconsistency currently seen with many federal agencies and other supporting entities. Though comprehensive security assessments are undertaken for these respective agencies, the current process lacks uniformity and clarity, thus FedRAMP is seen as a viable solution for helping provide a unified risk management framework for addressing these problems and issues.

Additionally, it's equally important to note that from a controls and scope perspective, FedRAMP requires compliance with the NIST SP 800-53 (version 3) publication, titled "Recommended Security Controls for Federal Information Systems and Organizations", (or subsequent version thereof) along with other supporting controls. Learn more by viewing the FedRAMP Controls "Quick Guide".

Policies and Procedures are a Requirement for FedRAMP

Furthermore, to no surprise, documented operational and information security policies and procedures are a large component of FedRAMP compliance, no question about. In fact, for each major category of controls within FedRAMP, there are explicit requirements for policies and procedures, and the FLANK21 set of policy and procedure documents from FLANK is without question a great place to start for assistance with FedRAMP compliance. As a global leader in providing industry leading security documentation, the GISCP set of documents from FLANK includes hundreds of operational and information security policies, procedures, forms, checklists, templates, provisioning and hardening documents - and more. 

Additionally, Cloud Service Providers (CSP) seeking to provide their services to federal agencies within the U.S. government must also undertake comprehensive measures, such as the following:

  • Utilize the prescribed baseline controls, along with the overall FedRAMP requirements.
  • Apply directly or work with a sponsoring entity regarding FedRAMP authorization.
  • Hire an approved Third Party Assessment Organization to actually perform an independent assessment.
  • Continue to provide relevant updates to FedRAMP regarding various matters, such as monitoring, etc.

FedRAMP is seen as a major initiative from the U.S. government in bringing about uniformity, transparency, and added security to the "cloud". Along with the FedRAMP requirements come heavy mandates for various documented policies and procedures, so trust the experts at FLANK for helping assist with FedRAMP compliance.