Federal Risk and Authorization Management Program (FedRAMP) is meant to provide a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
|Categorize The Information System||To categorize the system, the Cloud Service Provider (CSP) determines the information types to categorize what types of data are (or can be) contained within the system to determine the impact level for the system.|
|Implement Security Controls||The Cloud Service Provider(CSP) selects the FedRAMP security control baseline and then implements the security controls related to the expected impact level.|
|Assess||CSPs must use an independent assessor to test the information system to demonstrate that the controls are effective and implemented as documented in the system security plan.|
|Analysis of Risk||Once the Security controls are tested, the risks found are analyzed, and later, results presented in a Security Assessment Report(SAR).|
|Change Control||Change Control is put in place to cater to the system changes that maybe not be initiated in the configuration management plan which may impact FedRamp requirements.|
|Incident Response||The shared tenant architecture of cloud services implies that a single incident may impact multiple Federal Agencies leveraging the cloud services. FedRAMP works with US-CERT to coordinate incident response activities.|
|Operational Visibility||The goal of operational visibility is to reduce the administrative burden associated with demonstrating compliance and instead to shift toward real-time oversight monitoring through automated approaches.|
To View the Compliance Programs available visit Compliance in your Aqua CSPM Console, and select Defaults or Custom to filter the programs displayed, you can also expand the program control details using the Expand Settings toggle.