Federal Risk and Authorization Management Program (FedRAMP)

FedRAMP overview

The US Federal Risk and Authorization Management Program (FedRAMP) was established in December 2011 to provide a standardized approach for assessing, monitoring, and authorizing cloud computing products and services under the Federal Information Security Management Act (FISMA), and to accelerate the adoption of secure cloud solutions by US federal agencies. Cloud Service Providers (CSPs) desiring to sell services to a federal agency can take three paths to demonstrate FedRAMP compliance:

  • Earn a Provisional Authorization to Operate (P-ATO) from the FedRAMP Joint Authorization Board (JAB).
  • Receive an Authorization to Operate (ATO) from a federal agency.
  • Work independently to develop a CSP Supplied Package that meets program requirements.

Each of these paths requires an assessment by an independent third-party assessment organization (3PAO) that is accredited by the program and a stringent technical review by the FedRAMP Program Management Office (PMO).

FedRAMP is based on the National Institute of Standards and Technology (NIST) SP 800-53 standard, augmented by FedRAMP controls and control enhancements. FedRAMP authorizations are granted at three impact levels based on the NIST FIPS 199 guidelines — Low, Moderate, and High. These levels rank the impact that the loss of confidentiality, integrity, or availability could have on an organization — Low (limited effect), Moderate (serious adverse effect), and High (severe or catastrophic effect). The number of controls in the corresponding baseline increases as the impact level increases, for example, FedRAMP Moderate baseline has 325 controls whereas FedRAMP High baseline has 421 controls.

The FedRAMP High authorization represents the highest bar for FedRAMP compliance. The FedRAMP Joint Authorization Board (JAB) is the primary governance and decision-making body for FedRAMP. Representatives from the Department of Defense (DoD), Department of Homeland Security (DHS), and General Services Administration (GSA) serve on the board. The board grants a P-ATO to cloud service offerings (CSO) that have demonstrated FedRAMP compliance. Once a P-ATO is granted, a CSP still requires an authorization (an ATO) from any government agency it works with. A government agency can use an existing P-ATO in its own security authorization process and rely on it as the basis for issuing an agency ATO that also meets FedRAMP requirements.

Note

FedRAMP is not a point-in-time certification or accreditation but an assessment and authorization program that comes with provisions for continuous monitoring to ensure that deployed security controls in a CSO remain effective in an evolving threat landscape and changes that occur in the system environment.

Azure and FedRAMP

Both Azure and Azure Government maintain FedRAMP High P-ATOs issued by the JAB in addition to more than 400 Moderate and High ATOs issued by individual federal agencies for the in-scope services. And while FedRAMP High authorization in the Azure public cloud will meet the needs of many US government customers, Azure Government provides additional customer assurances through controls that limit potential access to systems processing customer data to screened US persons.

For extra customer assistance, Microsoft provides the Azure Policy regulatory compliance built-in initiatives for Azure and Azure Government, which map to FedRAMP compliance domains and controls:

Regulatory compliance in Azure Policy provides built-in initiative definitions to view a list of controls and compliance domains based on responsibility – customer, Microsoft, or shared. For Microsoft-responsible controls, we provide extra audit result details based on third-party attestations and our control implementation details to achieve that compliance. Each FedRAMP control is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, compliance in Azure Policy is only a partial view of your overall compliance status. Azure Policy helps to enforce organizational standards and assess compliance at scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to more granular status.

Applicability

  • Azure
  • Azure Government

Services in scope

For a list of Microsoft online services in scope for the FedRAMP High P-ATO in Azure and Azure Government, see Cloud services in audit scope.

Office 365 and FedRAMP

For more information about Office 365 compliance, see Office 365 FedRAMP documentation.

Attestation documents

You can request Azure and Azure Government FedRAMP documentation directly from the FedRAMP Marketplace by submitting a package access request form. You must have a .gov or .mil email address to access a FedRAMP security package directly from the FedRAMP Marketplace.

Azure Commercial System Security Plan (SSP) is available from the Service Trust Portal (STP) FedRAMP reports section. You must sign in to access audit reports on the STP. You must have an existing subscription or free trial account in Azure or Azure Government to download audit documents. For more information, see Get started with Microsoft Service Trust Portal.

Select Azure and Azure Government FedRAMP documentation, including the System Security Plan (SSP), continuous monitoring reports, Plan of Action and Milestones (POA&M), and so on, are available under NDA and pending access authorization from a restricted Service Trust Portal (STP) FedRAMP reports section. Contact your Microsoft account representative for assistance.

Azure penetration test reports

An independent third-party assessment organization (3PAO) that is accredited by FedRAMP conducts Azure penetration tests annually. The resulting reports are typically due in September for submission to the FedRAMP Joint Authorization Board (JAB). Once reviewed and approved by the FedRAMP JAB, penetration test reports are uploaded to the Service Trust Portal (STP) Pen Tests and Security Assessments section. This process can take several months from report submission. Therefore, if you can't locate the Azure penetration test report for the current year, it's most likely still under review and pending approval. We aim to upload penetration test reports to the STP by December or shortly thereafter; however, this timeline can vary.

If any vulnerabilities are identified in penetration test reports, their resolution can be tracked via Plan of Action and Milestones (POA&M) submissions. Contact your Microsoft account representative for assistance with access to a restricted section of the STP from where you can download select FedRAMP documentation, including the POA&M files.

For penetration testing that Microsoft conducts routinely on the Azure cloud services platform, see Live-site penetration testing in Security assurance processes and practices. For penetration testing that you can conduct on your own cloud applications, see Penetration testing.

Frequently asked questions

Which Azure regions are in scope for the FedRAMP High P-ATO?
All Azure public regions in the United States are in scope for the Azure FedRAMP High P-ATO. Azure regions outside the United States aren't formally authorized by the FedRAMP JAB, and aren't in the FedRAMP High P-ATO scope. However, Azure security controls and operational processes are the same everywhere Azure runs. FedRAMP is based on the NIST SP 800-53 control baselines. All NIST SP 800-53 controls that support the Azure FedRAMP High P-ATO in the United States are also operational in other Azure regions outside the United States. Therefore, Azure customers outside the United States can count on the same control implementation details that pertain to the NIST SP 800-53 High control baseline.

Which Azure Government regions are in scope for the FedRAMP High P-ATO?
Azure Government regions US Gov Arizona, US Gov Texas, and US Gov Virginia are in scope for the Azure Government FedRAMP High P-ATO.

Does Azure comply with the Federal Information Security Management Act (FISMA)?
FISMA is a US federal law that requires US federal agencies and their partners to procure information systems and services only from organizations that adhere to FISMA requirements. Most agencies and their vendors that indicate that they are FISMA-compliant are referring to how they meet the controls identified in NIST SP 800-53. The FISMA process (but not the underlying standards) was replaced by FedRAMP in 2011. FedRAMP provides a standardized approach for security assessment, authorization, and continuous monitoring of cloud services.

To whom does FedRAMP apply?
FedRAMP is mandatory for federal agency cloud deployments and service models at the low, moderate, and high-risk impact levels. Any federal agency that wants to engage a CSP may be required to meet FedRAMP specifications. In addition, companies that employ cloud technologies in products or services used by the federal government may be required to obtain an ATO.

Where does my agency start its own compliance effort?
For an overview of the steps federal agencies must take to successfully navigate FedRAMP and meet its requirements, go to Get Authorized: Agency Authorization.

Can I use Azure FedRAMP compliance in my agency’s authorization process?
Yes. You may use Azure or Azure Government FedRAMP High P-ATO as the foundation for any program or initiative that requires an ATO from a federal government agency. However, you need to achieve your own authorizations for components outside these services.

Where can I get the Azure FedRAMP documentation?
For links to audit documentation, see Attestation documents. You must sign in to access audit reports on the Service Trust Portal (STP). For more information, see Get started with Microsoft Service Trust Portal. You must have an existing subscription or free trial account in Azure or Azure Government to download audit reports from the STP.

What was the resolution of identified vulnerabilities and where is the latest Azure penetration test report?
See Azure penetration test reports for more information.

What Azure Government services are covered by FedRAMP High P-ATO and in what regions?
To find out what services are available in Azure Government, see Products available by region. For a list of services in scope for the FedRAMP High P-ATO, see Cloud services in audit scope.

Resources