Cloud Service Provider Responsibilities¶
FedRAMP does not regulate private companies; agencies must only use cloud services with FedRAMP Certification if their use case is within the scope of FedRAMP, so cloud service providers are not subject to any FedRAMP rules unless they wish to provide services to agencies.
To obtain and maintain a FedRAMP Certification, cloud service providers must follow all FedRAMP rules. Cloud service providers are solely and entirely responsible for ensuring that the rules are followed properly, ongoing activities are performed as expected, and that any changes to the FedRAMP rules are adopted as necessary. All costs associated with obtaining and maintaining a FedRAMP Certification, including the use of an independent assessment service as needed, are the responsibility of the cloud service provider.
Private companies are entirely responsible for the accuracy and completeness of the information they provide to FedRAMP and agencies throughout initial and ongoing FedRAMP Certification (and agency use).
Submitting, or causing to submit, false or fraudulent claims or related statements to the government is a crime, as is lying to or misleading federal auditors. Any indications of such will result in referral to the Department of Justice for investigation.
In general, the responsibilities to obtain and maintain a FedRAMP Certification for cloud service providers include:
- Creating and maintaining certification materials following the FedRAMP process.
- Storing and sharing certification materials with independent assessors, FedRAMP, CISA, and federal agencies as expected.
- Operating ongoing certification activities on a persistent cadence and sharing much more information with the government that companies typically share with private-sector customers.
- Partnering with an independent assessment service for initial and ongoing assessment to ensure adequate quality of the cloud service provider’s certification program.
- Following and responding to changes to FedRAMP rules in alignment with published deadlines and expectations.
- Engaging with FedRAMP and responding to data calls, emergency notifications, and other such activities as needed.
- Ensuring that any contract agreement with agencies does not restrict the cloud service provider from meeting FedRAMP Certification rules.
Agencies may require cloud service providers to provide additional materials, implement additional capabilities, or otherwise modify their cloud service offering or operational procedures as part of a contract agreement with the cloud service provider based on specific agency requirements. This is expected and acceptable, however, cloud service providers must avoid any contractual obligation that prevents them from meeting ongoing FedRAMP Certification rules unless they are willing to lose their FedRAMP Certification.