Agency Use of FedRAMP Certified Cloud Services (Needs Review)¶

Agencies MUST maintain agency-wide internal policies aligned with FedRAMP standards and the principles and directives of OMB Memorandum M-24-15.

Agencies MUST notify FedRAMP after authorizing an in-scope cloud service by supplying the agency Authorization to Operate letter to ato-letter@fedramp.gov.

Agencies MUST ensure that internal governance, risk, compliance, and inventory tools can produce and ingest machine-readable artifacts using formats identified by FedRAMP, including at least:

1. Open Security Controls Assessment Language (OSCAL)
2. JSON

Terms: Artifacts, Machine-Readable

Agencies SHOULD encourage adoption of commercial cloud services without incentivizing government-specific services.

Agencies MUST NOT place additional security requirements on FedRAMP Certified cloud service offerings beyond those required by FedRAMP UNLESS the head of the agency or an authorized delegate determines there is a demonstrable need; this does not apply to seeking clarification or asking general questions about FedRAMP Certification Data.

Note: This is related to the Presumption of Adequacy for a FedRAMP Certification.

Terms: Certification Data, Cloud Service Offering, FedRAMP Certified

Agencies MUST notify FedRAMP after requesting any additional information or materials from a FedRAMP Certified cloud service offering beyond those FedRAMP requires by sending an email to info@fedramp.gov.

Note: Agencies are expected to notify FedRAMP under OMB Memorandum M-24-15 section IV (a).

Terms: Cloud Service Offering, FedRAMP Certified

Agencies SHOULD contribute to FedRAMP lessons-learned reporting, including sharing risk acceptance rationales, to improve government-wide reuse and transparency.

Agencies SHOULD participate in FedRAMP working groups, communities of practice, and stakeholder engagements to supply feedback and align practices across government.

Agencies SHOULD assign at least 1 federal employee to be an active participant in the FedRAMP agency liaison program.

Agencies SHOULD establish and maintain a dedicated shared FedRAMP agency inbox to serve as the official point of contact for communications between FedRAMP and the agency.

Note: A shared FedRAMP agency inbox may follow an agency-specific format such as agency-fedramp@agency.gov.

Agencies MUST complete an agency authorization before using a cloud service inside a federal information system.

Agencies MUST use the existing FedRAMP Certification package to make agency authorization decisions for FedRAMP Certified cloud services.

Terms: Certification Package, FedRAMP Certified

Agencies MAY accept compensating controls or risk-acceptance decisions in cases of control misalignment between federal and external frameworks.

Agencies MUST collaborate with FedRAMP when discrepancies or conflicts arise between agency-specific security determinations and the baseline FedRAMP Certification package.

Terms: Certification Package

Agencies MUST review the Secure Configuration Guides supplied by Providers and configure relevant security settings.

Agencies MUST develop a plan with the Provider to follow Collaborative Continuous Monitoring rules and complete ongoing authorization activities.

Agencies MUST review each Ongoing Authorization Report to understand how changes to the cloud service offering may impact the risk tolerance documented in the agency Authorization to Operate for the federal information system that includes the cloud service offering in its boundary.

Note: This agency review supports agency responsibilities under 44 USC § 35, OMB Circular A-130, FIPS-200, and OMB Memorandum M-24-15.

Terms: Cloud Service Offering

Agencies MUST notify FedRAMP by sending an email to info@fedramp.gov if information presented in an Ongoing Authorization Report, Quarterly Review, or other ongoing authorization data causes significant concerns that may lead the agency to stop operation of the cloud service offering.

Note: Agencies are expected to notify FedRAMP under OMB Memorandum M-24-15 section IV (a).

Terms: Cloud Service Offering, Quarterly Review

Agencies SHOULD consider the Security Category noted in the agency Authorization to Operate and assign appropriate information security resources for reviewing Ongoing Authorization Reports, attending Quarterly Reviews, and reviewing other ongoing authorization data.

Terms: Quarterly Review, Security Category

Agencies SHOULD designate a senior information security official to review Ongoing Authorization Reports and represent the agency at Quarterly Reviews for cloud service offerings included in agency information systems.

Terms: Cloud Service Offering, Quarterly Review

Agencies SHOULD formally notify the Provider if information presented in an Ongoing Authorization Report, Quarterly Review, or other ongoing authorization data causes significant concerns that may lead the agency to remove the cloud service offering from operation.

Terms: Cloud Service Offering, Quarterly Review

Agencies SHOULD review the certification packages and continuous monitoring information for third-party independent information resources, such as other cloud services, that are used by a FedRAMP Certified cloud service when available.

Terms: Certification Package, FedRAMP Certified, Information Resource

Agencies MUST follow the most recent FedRAMP Consolidated Rules when initiating agency-sponsored FedRAMP Certification of in-scope cloud services.

Agencies MUST follow the ongoing agency authorization rules after FedRAMP issues a FedRAMP Certification they sponsored.