標準簡介
聯邦風險與授權管理計畫(FedRAMP)是由美國總務管理局(GSA)管理的全美政府範圍計畫,為雲端產品和服務的安全評估、授權和持續監控提供標準化方法。該計畫成立於 2011 年,確保聯邦機構使用的雲端解決方案滿足基於 NIST 標準的一致安全要求。
FedRAMP 遵循「一次評估,多次使用」模式,雲端供應商的安全授權可在各聯邦機構間複用,節省時間和成本。隨著 2025 年 FedRAMP 20x 的推出,該計畫正在現代化其方法以加快授權時程,同時為不斷成長的聯邦雲端市場維持嚴格的安全標準。
Do Once, Use Many
Cloud providers achieve authorization once and the resulting security package can be reused by any federal agency — eliminating redundant assessments and accelerating cloud adoption.
Three Impact Levels
Authorizations are granted at Low, Moderate, or High impact levels based on FIPS 199 categorization — each with increasing security control requirements from NIST SP 800-53.
Continuous Monitoring
Authorized providers must implement ongoing security monitoring including monthly vulnerability scans, annual penetration testing, and real-time incident reporting.
list_alt Authorization Requirements
- System Security Plan (SSP) documenting all controls
- Third-Party Assessment Organization (3PAO) audit
- Security Assessment Report (SAR)
- Plan of Action & Milestones (POA&M)
- Continuous monitoring and monthly reporting
- Incident response within defined timeframes
- Annual assessment and re-authorization
- FedRAMP 20x pilot for accelerated Low authorization
Who Needs to Comply?
Cloud Service Providers (CSPs) seeking to sell cloud products or services to U.S. federal government agencies. Also required for cloud services used by government contractors handling federal data.
Key Requirements
Security Control Implementation
Implement NIST SP 800-53 Rev 5 security controls appropriate to the impact level: Low (~156 controls), Moderate (~325 controls), or High (~421 controls). Document each control in the System Security Plan.
3PAO Assessment
Engage a FedRAMP-recognized Third-Party Assessment Organization (3PAO) to independently evaluate the implementation and effectiveness of security controls.
Authorization Path
Pursue authorization through an Agency ATO (sponsored by a specific federal agency) or Joint Authorization Board (JAB) provisional ATO, or the new FedRAMP 20x pilot path.
Continuous Monitoring
After authorization, maintain ongoing compliance through monthly vulnerability scanning, annual penetration testing, plan of action & milestones management, and significant change reporting.
Penalties & Enforcement
No statutory fines — FedRAMP is a prerequisite for government procurement, not a punitive regulation. Cloud providers without FedRAMP authorization are ineligible for federal contracts. Authorized providers that fail to maintain continuous monitoring requirements risk revocation of their Authority to Operate (ATO).