Rethinking the Role of Compliance


The FedRAMP security controls are based on NIST SP 800-53 Revision 5 baselines and contain controls above the NIST baseline that address the unique elements of cloud computing. 


What is FedRAMP

The Federal Risk and Authorization Management Program, or FedRAMP, applies to any cloud service or solution provider aiming to work with the U.S. federal government. In 2011, the National Institute of Standards and Technology (NIST), the General Services Administration (GSA), the Department of Defense (DOD), the Department of Homeland Security (DHS) and other government agencies collaborated to develop the framework.

The resulting government-wide program establishes a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP, like other federal frameworks such as FISMA, ties to the NIST 800-53 control library. However, FedRAMP includes additional controls regarding the unique aspects of cloud computing, enhancing the standard baseline controls.

Furthermore, FedRAMP is divided into 3 levels of risk impact. The levels are used to determine the set of controls an organization must adhere to, depending on their inherent risk.

Encompasses data intended for public use. Any loss of data wouldn’t compromise an agency’s mission, safety, finances, or reputation
Includes data that’s not available to the public, such as personally identifiable information. A breach of this data can have a serious impact on an agency’s operations.
Includes sensitive federal information, such as law enforcement, emergency services, and healthcare data. Breaches to government systems containing this data would likely be catastrophic— potentially shutting down operations, resulting in financial ruin, posing a threat to intellectual property, or maybe even human life.

Process for a FedRAMP certified Cloud Service Provider (CSP)


Confirm an interest from a potential sponsor agency. Develop a relationship with a 3 rd Party Authorizing Organization (3PAO).


Kickoff meeting with agency, 3PAO, and Project Management Office (PMO). CSP completes System Security Plan (SSP). 3PAO completes testing and submits the Security Assessment Report (SAR). CSP builds Plan of Action & Milestones (POA&M). Authorization decision.


CSP provides monthly continuous monitoring reports to prove compliance.

“Do Once, Use many Times”

Once authorized, CSP can be used by other agencies. Listing on FedRAMP Marketplace.

Your FedRAMP Solution: Q-Compliance

Q-Compliance is purpose-built to help you streamline and automate complex cybersecurity auditing and compliance requirements like FedRAMP. As a native Splunk solution, Q-Compliance leverages continuous monitoring and reporting to ensure compliance against FedRAMP in real-time.

Qmulos makes ongoing FedRAMP compliance easy with automated alerting tied to passing and failing controls. If a control fails, a detailed report with actionable information to address the issue is generated. The solution gives the user the ability to upload policy, procedure and file evidence as well as automatically log human activity, and keeps evidence needed for future audits all in one place.

Schedule Your Demo Now!

Schedule your demo today to see how Q-Compliance can transform your compliance experience.

Play Video

Request a Demo

Learn how QMULOS can help your company grow by scheduling a demo with our team.