Unified but Evolving: The Shifting Terrain of FedRAMP, GovRAMP, and DoD CC SRG

Introduction to FedRAMP

What is FedRAMP?

Founded in 2011, the Federal Risk and Authorization Management Program (FedRAMP®) provides a standardized approach to security authorizations for Cloud Service Offerings. FedRAMP was codified by the FY23 National Defense Authorization Act (NDAA) as the authoritative standardized approach to security assessment and authorization for cloud computing products and services that process unclassified federal information.

Download Full Presentation (PDF)

Key Players:

• U.S. Federal Government Agencies (Customers)
• Cloud Service Providers (CSPs)
• Third Party Assessment Organizations (3PAOS)
• FedRAMP Program Management Office (PMO)
• FedRAMP Board* (GSA, DOD, DHS, VA, FDIC)

Timeline and Major Steps: 6-9 Months to FedRAMP ATO

• Partnership Establishment
• Full Security Assessment
• Authorization Process
• Continuous Monitoring

What is GovRAMP?

GovRAMP is a framework that provides states, local governments, and higher education institutions with a standardized approach to assessing and authorizing cloud computing products and services. While not a federal mandate, GovRAMP is heavily influenced by FedRAMP and aims to streamline the adoption of secure cloud solutions at the state and local level.

GovRAMP is more of a concept than a program today

GovRAMP, while gaining traction, still lacks the formal structure and centralized authority that FedRAMP possesses. Instead, it serves as a guiding principle and a collection of best practices for state and local governments to evaluate and adopt cloud services. This decentralized approach allows for flexibility, but also means that the implementation and specific requirements can vary significantly from one jurisdiction to another.

GovRAMP is driven by states

States like Texas (Tx-RAMP), Arizona (AZRamp), New York (NY-RAMP), and others are developing their own state-specific cloud security assessment and authorization programs. These programs often leverage elements of FedRAMP, but are tailored to meet the unique needs and regulatory environments of each state. This state-driven approach to GovRAMP highlights the growing importance of cloud security at all levels of government, and the need for standardized, yet adaptable, frameworks to ensure the secure adoption of cloud technologies.

Unified Approaches

DISA & DoD Cloud Computing Security Requirements Guide (CC SRG)

DoD Provisional Authorization for Cloud Service Offerings The DoD Cloud Computing Security Requirements Guide (CC SRG) establishes security requirements for Cloud Service Offerings (CSOs) used by DoD Components. It defines the baseline security controls for cloud services that process DoD information and operate within DoD information systems. The CC SRG aims to ensure that cloud services meet DoD's stringent security standards, enabling secure and effective cloud adoption across the department.

DISA & CSP Authorization Planning

Initial Contact Meeting The DoD Provisional Authorization process initiates with a DoD Mission Owner initiating via the DoD Cloud Authorization Service (DCAS) web portal. During the initial contact meeting, DISA will meet with the CSP and the DoD Sponsor to review the requirements for a DoD Provisional Authorization. DISA staff will outline the authorization process and help the CSP, and the DoD sponsor determine the best path forward.

DoD CC SRG Authorization Process

• The DoD CC SRG authorization process extends upon processes established by FedRAMP.
• A CSP will undergo initial and annual assessments in coordination with a 3PAO and will separately be assessed by DISA’s Cloud Assessment team.
• Once assessed by DISA, an Authorizing Official (AO) grants a DoD Provisional Authorization.

DoD Mission Owner Onboarding

• A provisional authorization is DISA’s “stamp of approval” that you meet the core security requirements for connection to the DISN
• DoD Mission Owners maintain operational control of their networks and must still grant you an ATO for the CSP’s CSO
• DISA Cloud Connection Process Guide (CCPG) follows for onboarding to DoD Boundary Cloud Access Point (BCAP)

Customer Reciprocity Across Programs