The Federal Risk and Authorization Management Program operates in a complex matrix of shared or distributed responsibilities across the federal government. Learn more about who is involved, their responsibilities, and how they interact with FedRAMP.
When applicable, FedRAMP coordinates among the key entities who make up the operation of the program itself and represents them in interactions with FedRAMP stakeholders. Each entity will interact with different groups related to FedRAMP.
Cloud service providers (CSPs):
- FedRAMP
- The Office of the Chief Information Officer at any agency who intends to use your offering
- The 3PAO contracted to provide independent assessment of your offering
Government agencies:
- FedRAMP
- The CSP who operates the offering
- The 3PAO contracted by the CSP to assess the offering
Third party assessment organizations (3PAOs):
- FedRAMP
- The CSP who operates the offering
- The Office of the Chief Information Officer at any agency who intends to use the offering you are assessing
Who makes up FedRAMP within the government?
FedRAMP coordinates with multiple groups who represent various interests and who play complementary roles within the FedRAMP ecosystem. These groups are:
- The FedRAMP Board
- The FedRAMP Technical Advisory Group
- The Federal Secure Cloud Advisory Committee (FSCAC)
- The General Services Administration
- The Office of Management and Budget (OMB) within the Executive Office of the President
- The Department of Homeland Security (DHS)
- The Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security
- The National Institute of Standards and Technology (NIST) within the Department of Commerce
- The Chief Information Officers Council
- The Chief Acquisition Officers Council
The FedRAMP Board
A body of federal executives that are responsible for reviewing and approving FedRAMP policies, and for bringing together their fellow federal technology leaders to expand FedRAMP’s capacity for authorizing cloud services.
The FedRAMP Board is defined in 44 USC 3610 and reinforced in M-24-15.
“to provide input and recommendations to the Administrator regarding the requirements and guidelines for, and the prioritization of, security assessments of cloud computing products and services.”
“The FedRAMP Board, composed of Federal technology leaders appointed by OMB, provides input to GSA, establishes guidelines and requirements for security authorizations, consistent with relevant standards and guidelines of NIST, and supports and promotes the program within the Federal community.“
The Federal Secure Cloud Advisory Committee (FSCAC)
An independent advisory body with government and private-sector members that makes recommendations to GSA on making FedRAMP a more effective program.
More about the FSCAC can be found in 44 USC 3616, M-24-15, and FSCAC's web page.
“ensure effective and ongoing coordination of agency adoption, use, authorization, monitoring, acquisition, and security of cloud computing products and services to enable agency mission and administrative priorities.”
“...GSA and the FedRAMP Board should engage with industry, through the FSCAC and other mechanisms as appropriate...“
The FedRAMP Technical Advisory Group (TAG)
An advisory body made up of federal employees with significant practical experience and expertise in modern cloud technology. The Technical Advisory Group provides advice to FedRAMP and the FedRAMP Board as requested.
More about the TAG can be found in M-24-15.
“OMB and GSA will establish a Technical Advisory Group (TAG) to provide additional subject matter expertise to FedRAMP. The FedRAMP TAG will consist of a team of Federal practitioners not directly associated with the FedRAMP program that will provide advice and insights to FedRAMP on an as-needed basis. The TAG is not a governance body and only provides technical advice on pre-decisional information and situations, making it distinct from the FSCAC or the FedRAMP Board.”