The Federal Risk and Authorization Management Program (FedRAMP) methodology is based on the requirements defined by FedRAMP, the National Institute of Standards and Technology (NIST) and Federal Information Processing Standards (FIPS). This methodology is our strategy for achieving compliance through assessing risks and providing the Authorizing Official (AO) with accreditation information that is associated with:
- Infrastructure as a Service (IaaS)
- Platform as a Service (PaaS)
- Software as a Service (SaaS)
This strategy defines the required activities by the Cloud Service Provider (CSP), system owner as-well-as the 3PAO who is conducting the Independent Verification & Validation (IV&V) on the security controls. The CSP and system owner requirements involve the creation of security program documentation using the GSA templates and guidelines. In addition, selected NIST and FIPS publications must be used during system development, while in production and IV&V activities.
This methodology shall continuously be updated to reflect the changes affecting GSA IT Security Procedures, NIST Publications, FIPS Publications and best practices identified during the assessment process.