Sorry, not available in this language yet

English
日本語
简体中文

AI-generated code | Harness the power of AI coding assistants while managing the risks.
API Security Testing | Manage software risks with a holistic API security testing program.
AppSec Program Consolidation | Simplify your application security program.
Application Security Testing | Solutions to address security risks at all stages of the application life cycle.
DevSecOps | Solutions to help shift security left without slowing down your development teams.
Software Supply Chain Security | Solutions to identify and manage software supply chain risks end-to-end.
Manage Enterprise AppSec Risk | Scale your application security program without increasing complexity or adding friction.
Cloud & Container Security | Optimize your applications for secure deployment and operation in the cloud.
Open Source License Compliance | Effective solutions for ensuring open source license compliance.
M&A Due Diligence | Identify software risks that could negatively impact the value of acquired IP.
Quality and Security Standards Compliance | Ensure your software complies with the standards critical to customers and regulators.

Static Analysis (SAST) | Analyzing code for security vulnerabilities without executing it.
Software Composition Analysis (SCA) | Analyzing software components for security and license compliance.
Dynamic Analysis (DAST) | Testing running applications for security vulnerabilities.
Interactive Analysis (IAST) | Real-time security testing during application execution.
Penetration Testing | Simulated cyberattacks to identify vulnerabilities.
Mobile Application Security Testing (MAST) | Ensuring the security of mobile applications.
Application Security Posture Management (ASPM) | Managing and improving application security posture.
Fuzz Testing Solutions | Identifying vulnerabilities by inputting random data to applications.

Automotive | Security solutions for automotive industry applications.
Financial Services | Security solutions tailored for financial services.
IoT & Embedded | Security for Internet of Things and embedded systems.
Medical Devices | Security solutions for medical devices.
Public Sector | Security solutions for government and public sector organizations.

Dev and DevOps Teams | Security tools and practices for development and DevOps teams.
Security Teams | Solutions and support for dedicated security teams.
Legal Teams | Resources and compliance tools for legal teams.

What is FedRAMP?

Table of Contents

What are the goals of FedRAMP?
What are the FedRAMP governance bodies?
What requires FedRAMP compliance?
What types of authorizations are available for FedRAMP and who is involved?
How do federal agencies, CSPs, and 3PAOs satisfy FedRAMP requirements?
How can Black Duck help satisfy FedRAMP requirements?

Definition

The Federal Risk and Authorization Management Program (FedRAMP) is a United States government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

FedRAMP enables federal agencies and cloud solution providers (CSPs) to adapt rapidly from old, insecure, legacy IT to mission-enabling, secure, cost-effective, cloud-based IT.

FedRAMP defines and manages a core set of processes to ensure effective, repeatable cloud security for the government. It also established a mature marketplace to increase the use of and familiarity with cloud services while facilitating collaboration across government through the open exchange of lessons learned, use cases, and tactical solutions

What are the goals of FedRAMP?

FedRAMP aims to:

Accelerate the adoption of secure cloud solutions through reuse of assessments and authorizations
Improve confidence in the security of cloud solutions and security assessments
Achieve consistent security authorizations using a baseline set of agreed-upon standards for cloud product approval in or outside of FedRAMP
Ensure consistent application of existing security practices
Increase automation and use of near-real-time data for continuous monitoring

What are the FedRAMP governance bodies?

The governance of FedRAMP is performed by various executive branch entities that work collaboratively to develop, manage, and operate the program. FedRAMP governing bodies include the following:

Joint Authorization Board (JAB) is the primary governance and decision-making body for FedRAMP. It includes the chief information officers (CIOs) from the Department of Homeland Security (DHS), General Services Administration (GSA), and Department of Defense (DOD).
Office of Management and Budget (OMB) is the governing body that issued the FedRAMP policy memo, which defines the key requirements and capabilities of the program.
CIO Council disseminates FedRAMP information to federal CIOs and other representatives through cross-agency communications and events.
FedRAMP Program Management Office (PMO) is within GSA and is responsible for the development of the FedRAMP program including the management of day-to-day operations.
Department of Homeland Security (DHS) manages the FedRAMP continuous monitoring strategy including data feed criteria, reporting structure, threat notification coordination, and incident response.
National Institute for Standards and Technology (NIST) advises FedRAMP on Federal Information Security Modernization Act (FISMA) compliance requirements and assists in developing the standards for the accreditation of independent third-party assessment organizations (3PAOs).

What requires FedRAMP compliance?

Per an OMB memorandum, any cloud services offering (CSO) that holds federal data must be FedRAMP authorized.

FedRAMP compliance is mandatory for federal agency cloud deployments and service models at the low-, moderate-, and high-risk impact levels. Private cloud deployments intended for single organizations and implemented fully within federal facilities are the only exception.

What types of authorizations are available for FedRAMP?

FedRAMP cloud service authorizations include:

Provisional authority to operate (P-ATO) by the JAB
Agency authority to operate (ATO)
Tailored authorization

Who is involved in FedRAMP authorization?

Federal agencies can save money and time by adopting innovative cloud services to meet their critical mission needs.
CSPs offer cloud services that allow federal agencies to meet their mission needs securely and quickly.
3PAOs perform initial and periodic assessments of cloud systems to ensure they meet FedRAMP requirements.

How do federal agencies, CSPs, and 3PAOs satisfy FedRAMP requirements?

The FedRAMP Security Controls Baseline document provides an overview of the security controls, enhancements, parameters, requirements, and guidance listed in the FedRAMP System Security Plan templates.

Federal agencies and CSPs must implement these security controls, enhancements, parameters, and requirements within a cloud computing environment to satisfy FedRAMP requirements. The security controls and enhancements have been selected from the NIST SP 800-53 Revision 4 catalog of controls. The selected controls and enhancements are for cloud systems designated at the low-, moderate-, and high-impact information systems as defined in Federal Information Processing Standards (FIPS) Publication 199.

How can Black Duck help satisfy FedRAMP requirements?

Application security (AppSec) is a significant component of achieving FedRAMP compliance, and Black Duck can address all your AppSec needs and controls. The Black Duck portfolio includes AppSec tools and services that help address many of the FedRAMP control families.

Awareness and training
Configuration management
Identification and authentication
Planning
Risk assessment
Security assessment and authorization
System and information integrity
System and services acquisition

Black Duck tools and services provide full or partial compliance for AppSec-related FedRAMP needs and controls.

Application security tools and services | Black Duck