Updated: Jun 11, 2020
In compliance, and FedRAMP specifically, there are many acronyms and key terms that are used to describe processes, standards, and regulations. This article is to help assist with listing and explaining key terminology that will be used while learning about the FedRAMP framework. However, some of these compliance terms and acronyms may be universally used in other security frameworks, so some may seem familiar.
FedRAMP – Federal Risk and Authorization Management Program
FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This is in support of the U.S. government’s objective to enable U.S. federal agencies to use managed service providers that enable cloud computing capabilities. FedRAMP is governed by a Joint Authorization Board (JAB) that consists of representatives from the:
Department of Homeland Security (DHS)
General Services Administration (GSA)
Department of Defense (DoD)
The FedRAMP program is endorsed by the U.S. government’s CIO Council including the Information Security and Identity Management Committee (ISIMC).
CSP – Cloud Service Provider
This category of a company offers cloud computing to others, from the entire platform to specific applications. There are different functional options each provides, such as on-demand, self-provisioning, and subscription-based.
Three types of CSPs:
Infrastructure as a Service (IaaS) - Used for networking and infrastructure components, such as servers, routers, switches, and other hardware
Platform as a Service (PaaS) - Described as infrastructure and services for managing and running various applications with less complexity; this is popular in software development.
Software as a Service (SaaS) - This is for running a variety of business applications for different functions, lie healthcare, sales, and financial.
Some of the common companies that are offer these cloud deployment models are Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure.
Federal Information Processing Standard (FIPS) 199 provides the regulations for systems and information for the Cloud Service Offerings (CSOs) for each provider. These offerings are organized into different impact levels (High, Moderate, and Low) cross-examined against the CIA (Confidentiality, Integrity, and Availability) Security triage.
ATO - Authority to Operate
When a Cloud Service Provider (CSP) begins to work with and Agency in order to get authorized, this assigned agency will review the security, from infrastructure to controls, of the cloud deployment model.
There are typically 4 phases of this process for a CSP to be granted an ATO:
Full Security Assessment
JAB – Joint Authorization Board
The Joint Authorization Board (JAB) is the primary governance and decision-making body for the FedRAMP program. The JAB assesses and grants "joint provisional security authorizations on cloud solutions" applying universal, systematic methodology and practices from the industry. The stakeholders appointed in the JAB include Chief Information Officers from the Department of Defense, the Department of Homeland Security and the General Services Administration.
The key responsibilities for the JAB include:
Outline all FedRAMP-related stipulations.
Authorize accreditation benchmarks for 3PAOs.
Institute a primacy list for authorization package reviews.
Analyze FedRAMP authorization packages.
Permit joint provisional authorizations.
Validate that these provisional authorizations are evaluated and reformed routinely.
PMO – Program Management Office
PMO is a group, internally or externally, that regulates the measures for project management across an organization. Other responsibilities include assessing that company standard procedures, practices and duties operate without issues.
The FedRAMP PMO's mission is to promote the adoption of secure cloud services across the Federal Government by providing a standardized approach to security and risk assessment.
P-ATO – Provisional Authorization to Operate
A FedRAMP P-ATO can be viewed as the first step for a cloud service provider toward earning a FedRAMP ATO, and it considered "preauthorization." Once a cloud service provider is awarded a P-ATO, they have been granted preliminary approval from the JAB; this enables the CSP to work with that. Essentially, it is permission given to an organization to operate at the Moderate impact level by the FedRAMP Joint Authorization Board (JAB).
3PAO – Third-Party Assessment Organization
A Third-Party Assessment Organization (3PAO) is an organization that has been certified to assist CSP's and government agencies to meet FedRAMP compliance regulations.
By using FedRAMP approved templates, these organizations evaluate cloud-based providers’ systems to ensure transparency and consistency in data security strategies. Per the U.S. General Services Administration’s (GSA), a 3PAO must meet the following requirements:
Independence and quality management in accordance with International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 17020: 1998 standards.
Information assurance competence that includes experience with the Federal Information Security Management Act of 2002 (FISMA) and testing security controls.
Competence in the security assessment of cloud-based information systems.
For a full, updated list of FedRAMP 3PAO requirements, please visit FedRAMP 3PAO Requirements
SSP – System Security Plan
A System Security Plan (SSP) documents the controls that have been selected to moderate the risk of a system. These controls are determined by the Risk Analysis and the FIPS 199. Federal systems fall into either a Low, Moderate or High category, per NIST’s guidelines.
An SSP provides information regarding the system owner, name of the system and lists the security controls selected for the system. Each control listing includes a detailed description that allows the system owner or auditor to confirm the effectiveness of that control.
These are the key highlights for FedRAMP terminology, but you can go the FedRAMP Glossary for a complete listing.