Skip to main content

Cloud.gov Compliance & Controls

Overview

Cloud.gov's FedRAMP Moderate Authorization enables federal agencies to inherit security controls and accelerate their own authorization processes. By leveraging Cloud.gov's platform-level controls, agencies focus on application-specific requirements while inheriting over 60% of NIST SP 800-53 controls.

Prerequisites

  • Understanding of NIST SP 800-53 control families
  • Access to FedRAMP baseline documentation
  • Assigned Information Systems Security Officer (ISSO) or equivalent role

Process / Steps

1. Request FedRAMP Package Access

Submit the FedRAMP Package Access Request Form using Package ID F1607067912.

2. Review Control Inheritance Model

Analyze Cloud.gov's three-tier responsibility model:

  • Inherited Controls: Platform controls fully managed by Cloud.gov
  • Shared Controls: Joint implementation between Cloud.gov and customer
  • Customer Controls: Application-specific controls you implement

3. Map Controls to Your System

Customer Responsibility: Document control implementation in your SSP:

  • Mark inherited controls as "INH"
  • Detail your implementation for shared controls
  • Fully document customer-owned controls

4. Implement Continuous Monitoring

Establish ongoing compliance through:

  • Automated vulnerability scanning
  • Log streaming to agency Security Information and Event Management (SIEM)
  • Quarterly control reviews
  • Annual independent assessments

5. Maintain Compliance with Federal Directives

Cloud.gov supports compliance with:

Cloud.gov continuously tracks every binding federal cybersecurity requirement and folds it into the platform’s control baseline. This includes— but is not limited to— laws passed by Congress, Presidential Executive Orders, Office of Management and Budget (OMB) policy memoranda, Cybersecurity and Infrastructure Security Agency (CISA) directives, and any other mandates with legal force.

FAQs

Q: What impact levels does Cloud.gov support? A: Cloud.gov supports FISMA Low and Moderate impact systems under its FedRAMP Moderate Authorization.

Q: How often is Cloud.gov assessed? A: Cloud.gov undergoes annual FedRAMP assessments with continuous monitoring.

Q: Can I automate compliance evidence collection? A: Yes. Cloud.gov provides logging integrations compatible with common GRC tools.

Q: Do I need a separate ATO for each application? A: Consult your Authorizing Official. Many agencies approve multiple similar applications under a single authorization when using Cloud.gov.

GSA.gov

An official website of the U.S. General Services Administration

Looking for U.S. government information and services?
Visit USA.gov