Federal Risk and Authorization Management Program (FedRAMP) is meant to provide a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.


ControlDescription
Categorize The Information System
To categorize the system, the Cloud Service Provider (CSP) determines the information types to categorize what types of data are (or can be) contained within the system to determine the impact level for the system.
Implement Security Controls
The Cloud Service Provider(CSP) selects the FedRAMP security control baseline and then implements the security controls related to the expected impact level.
Assess
CSPs must use an independent assessor to test the information system to demonstrate that the controls are effective and implemented as documented in the system security plan.
Analysis of Risk
Once the Security controls are tested, the risks found are analyzed, and later, results presented in a Security Assessment Report(SAR).
Change Control
Change Control is put in place to cater to the system changes that maybe not be initiated in the configuration management plan which may impact FedRamp requirements.
Incident Response
The shared tenant architecture of cloud services implies that a single incident may impact multiple Federal Agencies leveraging the cloud services. FedRAMP works with US-CERT to coordinate incident response activities.
Operational Visibility
The goal of operational visibility is to reduce the administrative burden associated with demonstrating compliance and instead to shift toward real-time oversight monitoring through automated approaches.



To View the Compliance Programs available visit Compliance in your Aqua CSPM Console, and select Defaults or Custom to filter the programs displayed, you can also expand the program control details using the Expand Settings toggle.