标准简介
FedRAMP(联邦风险与授权管理计划)是美国政府的标准化云服务安全评估、授权和持续监控计划。由美国总务管理局(GSA)管理,FedRAMP 确保联邦机构使用的云服务满足严格的安全标准。该计划基于 NIST SP 800-53 安全控制,根据数据敏感级别分为三个影响级别:低(Li-SaaS)、中和高,分别包含不同数量的安全控制要求。
FedRAMP 授权过程有两条路径:联邦机构授权(Agency ATO)和联合授权委员会授权(JAB P-ATO,由 DoD、DHS 和 GSA 组成)。2024-2025 年的 FedRAMP 20x 计划正在推进现代化改革,旨在加速授权流程、降低成本并提高效率。云服务提供商(CSP)必须由第三方评估组织(3PAO)进行独立评估,并实施持续监控,包括月度漏洞扫描、年度评估和事件报告。目前已有超过 340 个云产品获得 FedRAMP 授权,授权对于向联邦政府销售云服务是强制性要求。
Do Once, Use Many
Cloud providers achieve authorization once and the resulting security package can be reused by any federal agency — eliminating redundant assessments and accelerating cloud adoption.
Three Impact Levels
Authorizations are granted at Low, Moderate, or High impact levels based on FIPS 199 categorization — each with increasing security control requirements from NIST SP 800-53.
Continuous Monitoring
Authorized providers must implement ongoing security monitoring including monthly vulnerability scans, annual penetration testing, and real-time incident reporting.
list_alt Authorization Requirements
- System Security Plan (SSP) documenting all controls
- Third-Party Assessment Organization (3PAO) audit
- Security Assessment Report (SAR)
- Plan of Action & Milestones (POA&M)
- Continuous monitoring and monthly reporting
- Incident response within defined timeframes
- Annual assessment and re-authorization
- FedRAMP 20x pilot for accelerated Low authorization
Who Needs to Comply?
Cloud Service Providers (CSPs) seeking to sell cloud products or services to U.S. federal government agencies. Also required for cloud services used by government contractors handling federal data.
Key Requirements
Security Control Implementation
Implement NIST SP 800-53 Rev 5 security controls appropriate to the impact level: Low (~156 controls), Moderate (~325 controls), or High (~421 controls). Document each control in the System Security Plan.
3PAO Assessment
Engage a FedRAMP-recognized Third-Party Assessment Organization (3PAO) to independently evaluate the implementation and effectiveness of security controls.
Authorization Path
Pursue authorization through an Agency ATO (sponsored by a specific federal agency) or Joint Authorization Board (JAB) provisional ATO, or the new FedRAMP 20x pilot path.
Continuous Monitoring
After authorization, maintain ongoing compliance through monthly vulnerability scanning, annual penetration testing, plan of action & milestones management, and significant change reporting.
Penalties & Enforcement
No statutory fines — FedRAMP is a prerequisite for government procurement, not a punitive regulation. Cloud providers without FedRAMP authorization are ineligible for federal contracts. Authorized providers that fail to maintain continuous monitoring requirements risk revocation of their Authority to Operate (ATO).