FedRAMP 等效与 FedRAMP 授权对比

出版日期： 19 12 月, 2024

联邦风险与授权管理计划 (FedRAMP) 是美国政府的一项计划，旨在标准化和简化联邦机构对云计算服务的评估、授权和持续监控。它为云服务提供商 (CSP) 确立了一套一致的安全要求，以确保其产品满足联邦政府严格的安全和隐私需求。

FedRAMP 授权产品与 FedRAMP 等效产品的区别在于，FedRAMP 授权产品已被官方认定为安全、合规的云解决方案，获准用于联邦政府，并已列入 FedRAMP 官方市场。相比之下，FedRAMP 等效产品是对类似级别的安全努力和意图的自我证明，但该产品并未在官方 FedRAMP 市场中列出。

“FedRAMP 等效性”是什么意思？

声称已达到 FedRAMP 等效性的 CSP 表示其产品符合与 FedRAMP 相当的安全标准，但该 CSP 尚未正式完成严格的 FedRAMP 授权流程。非美国人可能会使用这一术语。根据 FedRAMP 指南实施控制措施的组织、州政府或私人实体。 CSP 通常（但并非总是如此）会使用 FedRAMP 等效性来表明其已具备 FedRAMP 合规准备状态，或表明其打算获得完整的 FedRAMP 授权。

FedRAMP 等效性的关键特征如下：

CSP 自行证明其产品符合 FedRAMP 安全控制要求或将其用作基准。
CSP 的产品可能已经或尚未经过联邦机构或联合授权委员会 (JAB) 的正式评估或获得运营授权 (ATO)。
该 CSP 的产品未列入 FedRAMP 官方市场平台。

FedRAMP 授权是什么意思？

销售 FedRAMP 授权产品的 CSP 已完成 FedRAMP 授权流程，包括由第三方评估组织 (3PAO) 进行的严格安全评估，产品已获得联邦机构或 JAB 的 ATO。

FedRAMP 授权的关键特征如下：

CSP 的产品已通过 3PAO 的非常详细的安全审查和测试流程，并且必须每年接受重新授权审计。
CSP 的产品已被联邦机构或联合授权委员会授予 ATO。
CSP 的产品已在 FedRAMP 官方市场上列出。

FedRAMP 等效与 FedRAMP 授权之间的关键区别

下表总结了 FedRAMP 等效性与 FedRAMP 授权之间的主要区别。

	FedRAMP Authorized	FedRAMP Equivalent
Definition	A cloud product that has undergone the full FedRAMP security assessment process and received an official Authority to Operate (ATO) or Provisional Authority to Operate (P-ATO).	A cloud product that claims to be aligned with FedRAMP security controls but has not completed the formal FedRAMP authorization process.
Assessment Process	Requires a formal review by a FedRAMP-approved 3PAO and approval from a federal agency or the JAB.	Often involves internal assessments or informal audits aligned with FedRAMP standards, which may or may not have been done with oversight by a 3PAO or federal entity.
Security Standards	Fully compliant with FedRAMP’s standardized controls, derived from NIST SP 800-53.	Aligns with FedRAMP security controls but may not fully meet them.
Government Recognition	Listed on the FedRAMP Marketplace and officially recognized by federal agencies.	Not listed on the FedRAMP Marketplace and may not be recognized by federal agencies.
Verification	Includes comprehensive documentation, audits and ongoing monitoring validated by the U.S. government.	May or may not include partial documentation and assessments.
Continuous Monitoring	Requires continuous monitoring, with regular reporting and updates to maintain authorization.	Continuous monitoring may be implemented but not necessarily aligned with FedRAMP’s formal requirements.
Use Cases	Can be used by U.S. federal agencies procuring cloud services. Suitable for systems processing sensitive but unclassified (Moderate) or highly sensitive (High) data.	May be used for state, local or private sector applications where full FedRAMP authorization is not mandatory. May not be sufficient for direct federal use and cannot be used for highly sensitive (High) data.
Reusability Across Agencies	Can be reused across multiple federal agencies without having to examine the CSP’s entire Body of Evidence (BoE). This significantly reduces the time and cost of evaluating and onboarding the product.	No reusability. Each agency or organization may need to conduct its own security assessment, including a review of the CSP’s entire BoE, including their System Security Plan (SSP), Security Assessment Plan (SAP) and all attachments. This duplicates effort and significantly increases the time and cost of evaluating and onboarding the product.

与“FedRAMP 等效”提供商而非 FedRAMP 授权提供商合作的风险

选择与具有 FedRAMP 等效认证的 CSP 合作，而不是与 FedRAMP 授权的 CSP 合作，会带来一定风险，因为提供商的安全措施未经过正式验证，也未得到政府认可。与“FedRAMP 等效”的 CSP 合作的其他风险包括可能存在的安全漏洞和安全控制措施的实施不一致。 FedRAMP 授权包含 325 项以上的控制措施和持续监控，以确保极高的安全标准。同等级的提供商可能实施的控制措施较少，或者缺乏强大的监控流程。此外，由于 FedRAMP 等效性暂无标准化认证流程，不同 CSP 的合规水平可能存在显著差异。

由于这些风险，FedRAMP 等效产品最适合需要符合高安全标准但又不想承担 FedRAMP 授权产品成本的非联邦组织，如私营公司或州和地方政府。例如，私营医疗保健组织可以使用 FedRAMP 等效系统来确保数据安全，以满足 HIPAA 的合规要求。

基本要点

与“FedRAMP 等效”提供商而非 FedRAMP 授权提供商合作，会使组织面临安全漏洞、不合规以及更容易遭受网络攻击等风险。虽然 FedRAMP 等效的 CSP 可能会在与安全标准保持一致方面表现出诚意，但只有获得 FedRAMP 授权的 CSP 才会接受正式验证和持续监控，从而全面降低这些风险。

此外，评估 FedRAMP 等效提供商是一个耗时且昂贵的过程，涉及检查提供商的整个 BoE，其中通常包括数百页甚至数千页的文档。相反，选择 FedRAMP 授权提供商意味着 3PAO 已检查该提供商的 BoE，已测试其控制措施，并已确认该提供商的产品符合 FedRAMP 标准。机构只需在官方 FedRAMP 市场中查看 CSP 的列表即可验证这一点。

对于联邦用途，与已获得 FedRAMP High 授权的提供商（例如 Keeper）合作对于确保强大的安全性和合规性至关重要。

Teresa Rothaar

作者： Teresa Rothaar

Teresa Rothaar is a governance, risk, and compliance (GRC) analyst at Keeper Security. In this role, she spearheads employee cybersecurity awareness training; maintains the company’s RFP response library; creates and maintains internal security policies; develops automated GRC processes to achieve robust risk management and compliance results; performs external vendor risk assessments; and facilitates third-party certification audits. Prior to joining Keeper, she spent six years as a cybersecurity copywriter, where she produced hundreds of blogs and ghostwritten articles, dozens of whitepapers and case studies, and other thought leadership content for cybersecurity firms ranging from small startups to multinational corporations. She is a CISSP, holds an MBA and an M.S. in management information systems from Wilmington University, and received a B.S. in mathematics and computer science from Temple University.