Federal Risk and Authorization Management Program (FedRAMP)

FedRAMP overview

The US Federal Risk and Authorization Management Program (FedRAMP) was established in December 2011 to provide a standardized approach for assessing, monitoring, and authorizing cloud computing products and services under the Federal Information Security Management Act (FISMA), and to accelerate the adoption of secure cloud solutions by US federal agencies. Cloud Service Providers (CSPs) desiring to sell services to a federal agency can take three paths to demonstrate FedRAMP compliance:

  • Earn a Provisional Authorization to Operate (P-ATO) from the FedRAMP Joint Authorization Board (JAB).
  • Receive an Authorization to Operate (ATO) from a federal agency.
  • Work independently to develop a CSP Supplied Package that meets program requirements.

Each of these paths requires an assessment by an independent third-party assessment organization (3PAO) that is accredited by the program, as well as a stringent technical review by the FedRAMP Program Management Office (PMO).

FedRAMP is based on the National Institute of Standards and Technology (NIST) SP 800-53 standard, augmented by FedRAMP controls and control enhancements. FedRAMP authorizations are granted at three impact levels based on the NIST FIPS 199 guidelines — Low, Moderate, and High. These levels rank the impact that the loss of confidentiality, integrity, or availability could have on an organization — Low (limited effect), Moderate (serious adverse effect), and High (severe or catastrophic effect). The number of controls in the corresponding baseline increases as the impact level increases, e.g., FedRAMP Moderate baseline has 325 controls whereas FedRAMP High baseline has 421 controls.

The FedRAMP High authorization represents the highest bar for FedRAMP compliance. The FedRAMP Joint Authorization Board (JAB) is the primary governance and decision-making body for FedRAMP. Representatives from the Department of Defense (DoD), Department of Homeland Security (DHS), and General Services Administration (GSA) serve on the board. The board grants a P-ATO to cloud service offerings (CSO) that have demonstrated FedRAMP compliance. Once a P-ATO is granted, a CSP still requires an authorization (an ATO) from any government agency it works with. A government agency can use an existing P-ATO in its own security authorization process and rely on it as the basis for issuing an agency ATO that also meets FedRAMP requirements.

It’s important to note that FedRAMP is not a point-in-time certification or accreditation but an assessment and authorization program that also comes with provisions for continuous monitoring to ensure that deployed security controls in a CSO remain effective in an evolving threat landscape and changes that occur in the system environment.

Azure and FedRAMP

Azure and Azure Government maintain FedRAMP High P-ATOs issued by the JAB in addition to more than 100 Moderate and High ATOs issued by individual federal agencies for the in-scope services. And while FedRAMP High authorization in the Azure public cloud will meet the needs of many US government customers, Azure Government provides additional customer assurances through controls that limit potential access to systems processing customer data to screened US persons.

Azure Blueprints is a service that helps customers deploy and update cloud environments in a repeatable manner using composable artifacts such as Azure Resource Manager templates to provision resources, role-based access controls, and policies. Resources provisioned through Azure Blueprints adhere to an organization’s standards, patterns, and compliance requirements. The overarching goal of Azure Blueprints is to help automate compliance and cybersecurity risk management in cloud environments. To help customers deploy a core set of policies for any Azure-based architecture that requires compliance with FedRAMP, Azure has released the following blueprints:

When assigned to an architecture, resources are evaluated by Azure Policy for compliance with assigned policy definitions.

Applicability

  • Azure
  • Azure Government

Services in scope

For more information about Microsoft online services in scope for the FedRAMP High P-ATO, see Azure services in FedRAMP audit scope:

  • Azure
  • Dynamics 365
  • Microsoft Cloud App Security
  • Microsoft Defender for Endpoint (formerly Microsoft Defender Advanced Threat Protection)
  • Microsoft Defender for Identity (formerly Azure Advanced Threat Protection)
  • Microsoft Graph
  • Microsoft Intune
  • Microsoft Stream
  • Power Apps
  • Power Automate (formerly Microsoft Flow)
  • Power BI

Office 365 and FedRAMP

For more information about Office 365 compliance, see Office 365 FedRAMP documentation.

Attestation documents

US government customers can request Azure and Azure Government FedRAMP documentation directly from the FedRAMP Marketplace by submitting a package access request form. You must have a .gov or .mil email address to access a FedRAMP security package directly from FedRAMP.

You can access audit reports and certificates in the Azure or Azure Government portal by navigating to Home > Security Center > Regulatory compliance > Audit reports or using direct links based on your subscription (login required):

Select Azure Government FedRAMP documentation, including System Security Plan (SSP), continuous monitoring reports, Plan of Action and Milestones (POA&M), etc., is available to customers under NDA and pending access authorization from the Service Trust Portal Audit Reports - FedRAMP Reports section. Contact your Microsoft account representative for assistance.

Frequently asked questions

Does Azure comply with the Federal Information Security Management Act (FISMA)?
FISMA is a US federal law that requires US federal agencies and their partners to procure information systems and services only from organizations that adhere to FISMA requirements. Most agencies and their vendors that indicate that they are FISMA-compliant are referring to how they meet the controls identified in NIST SP 800-53. The FISMA process (but not the underlying standards themselves) was replaced by FedRAMP in 2011. FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud services.

To whom does FedRAMP apply?
FedRAMP is mandatory for federal agency cloud deployments and service models at the low, moderate, and high-risk impact levels. Any federal agency that wants to engage a CSP may be required to meet FedRAMP specifications. In addition, companies that employ cloud technologies in products or services used by the federal government may be required to obtain an ATO.

Where does my agency start its own compliance effort?
For an overview of the steps federal agencies must take to successfully navigate FedRAMP and meet its requirements, go to Get Authorized: Agency Authorization.

Where can I get the Azure FedRAMP documentation?
For links to audit documentation, see Attestation documents. You must have an existing subscription or free trial account in Azure or Azure Government to login. You can then download audit certificates, assessment reports, and other applicable documents to help you with your own regulatory requirements.

Can I use Azure FedRAMP compliance in my agency’s authorization process?
Yes. You may use Azure or Azure Government FedRAMP High P-ATO as the foundation for any program or initiative that requires an ATO from a federal government agency. However, you need to achieve your own authorizations for components outside these services.

What Azure Government services are covered by FedRAMP High P-ATO and in what regions?
To find out what services are available in Azure Government, see Products available by region. For a list of services with FedRAMP High P-ATO, see Azure Government services in FedRAMP audit scope.

Resources