Skip to main content

Cloud.gov Overview for Assessors

Overview

Cloud.gov provides a FedRAMP Moderate Authorized Platform as a Service (PaaS) on AWS GovCloud (US), enabling federal agencies to inherit over 60% of NIST SP 800-53 controls. This platform-as-a-service approach reduces assessment scope, accelerates authorization timelines, and provides clear delineation between platform and customer responsibilities. Assessors can leverage Cloud.gov's existing authorization to focus evaluation efforts on application-specific controls.

Prerequisites

  • FedRAMP Package Access: Submit Package Access Request Form with Package ID F1607067912

  • Cloud.gov Roles: Understanding of Organization Manager, Space Developer, and Space Auditor roles

  • Assessment Tools: Access to scanning tools compatible with containerized environments

FAQs

Q: How does Cloud.gov maintain tenant isolation? A: Applications run in separate containers with kernel-level isolation via namespaces, cgroups, and mandatory access controls. See SC-39 implementation details in the SSP.

Q: Who is responsible for application security updates? A: Cloud.gov updates platform buildpacks. Customer Responsibility: Restage applications to consume updates and maintain application code security.

Q: How can I verify control inheritance? A: The Control Implementation Matrix in the FedRAMP package maps each control to responsible party (Cloud.gov, customer, or shared).

Q: What evidence should I request from customers? A: Request application architecture diagrams, security scanning results, incident response procedures, and configuration management documentation for customer-implemented controls.

Q: Where can I get assessment support? A: Contact support@cloud.gov for platform-specific evidence and clarification on control implementation.

GSA.gov

An official website of the U.S. General Services Administration

Looking for U.S. government information and services?
Visit USA.gov