FedRAMP, or the Federal Risk and Authorization Management Program, is a government-wide program that provides a standardized approach to the assessment, authorization, and continuous monitoring of cloud products and services used by federal agencies. The program is designed to ensure that cloud services used by federal agencies meet certain security and risk management standards, and to reduce the time and cost of evaluating and approving cloud services for use by the government.

FedRAMP was established in 2011 in response to the increasing use of cloud computing by federal agencies and is administered by the General Services Administration (GSA) in partnership with the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST).

There are two approaches to obtaining a FedRAMP Authorization, a provisional authorization through the Joint Authorization Board (JAB) or an authorization through an agency.


The JAB is the primary governing body for FedRAMP and includes the Department of Defense (DoD), Department of Homeland Security (DHS), and General Services Administration (GSA). The JAB selects approximately 12 cloud products a year to work with for a JAB Provisional Authority to Operate (P-ATO). Additionally, the JAB is responsible for performing the continuous monitoring for all JAB Authorized cloud products.


In the Agency Authorization path, agencies may work directly with a Cloud Service Provider (CSP) for authorization at any time. CSPs that make a business decision to work directly with an agency to pursue an Authority to Operate (ATO) will work with the agency throughout the FedRAMP Authorization process.

The FedRAMP process begins with a cloud service provider (CSP) submitting a detailed security assessment of their product or service to a third-party assessment organization (3PAO). The 3PAO conducts a review of the CSP’s security controls and issues a report on their findings.

If the report is favorable, the CSP can then submit their product or service for review by a FedRAMP Joint Authorization Board (JAB).

The JAB reviews the 3PAO report and decides on whether the CSP’s product or service meets the necessary security standards. If the JAB approves the product or service, it is granted a FedRAMP authorization, which allows it to be used by any federal agency.

In addition to the initial authorization process, FedRAMP also includes ongoing monitoring of CSPs to ensure that their products and services continue to meet the required security standards. This includes regular security assessments and the ability for federal agencies to report any issues or concerns they may have with a CSP’s product or service.

Overall, FedRAMP is an important program that helps to ensure the security and risk management of cloud products and services used by federal agencies. By providing a standardized approach to the assessment and authorization of these products and services, FedRAMP helps to protect the government’s data and systems, while also promoting the use of innovative and cost-effective cloud solutions.

While not an authorized 3PAO, Brockton Point Solutions has experience getting clients FedRAMP ready. Please reach out if you have questions or would like to utilize our services for your FedRAMP readiness.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top