75 In-Depth FedRAMP Questions for Professionals

What is involved in FedRAMP

Find out what the related areas are that FedRAMP connects with, associates with, correlates with or affects, and which require thought, deliberation, analysis, review and discussion. This unique checklist stands out in a sense that it is not per-se designed to give answers, but to engage the reader and lay out a FedRAMP thinking-frame.

How far is your company on its FedRAMP journey?

Take this short survey to gauge your organization’s progress toward FedRAMP leadership. Learn your strongest and weakest areas, and what you can do now to create a strategy that delivers results.

To address the criteria in this checklist for your organization, extensive selected resources are provided for sources of further research and information.

Start the Checklist

Below you will find a quick checklist designed to help you think about which FedRAMP related domains to cover and 75 essential critical questions to check off in that domain.

The following domains are covered:

FedRAMP, Chief Information Officer, Chief Information Officer of the United States, Cloud computing, Cloud computing issues, Cybersecurity, FIPS 199, Federal Information Security Management Act of 2002, GPRA Modernization Act of 2010, General Services Administration, National Institute of Standards and Technology, Office of Management and Budget, Software as a Service, United States Department of Defense, United States Department of Homeland Security:

FedRAMP Critical Criteria:

Graph FedRAMP strategies and forecast involvement of future FedRAMP projects in development.

– For your FedRAMP project, identify and describe the business environment. is there more than one layer to the business environment?

– What new services of functionality will be implemented next with FedRAMP ?

– Fedramp approved / compliant?

– Fedramp approved/compliant?

Chief Information Officer Critical Criteria:

Have a meeting on Chief Information Officer tactics and work towards be a leading Chief Information Officer expert.

– Record-keeping requirements flow from the records needed as inputs, outputs, controls and for transformation of a FedRAMP process. ask yourself: are the records needed as inputs to the FedRAMP process available?

– How do senior leaders actions reflect a commitment to the organizations FedRAMP values?

– How can the value of FedRAMP be defined?

Chief Information Officer of the United States Critical Criteria:

Detail Chief Information Officer of the United States planning and clarify ways to gain access to competitive Chief Information Officer of the United States services.

– What prevents me from making the changes I know will make me a more effective FedRAMP leader?

– Do FedRAMP rules make a reasonable demand on a users capabilities?

– Is a FedRAMP Team Work effort in place?

Cloud computing Critical Criteria:

Mine Cloud computing risks and remodel and develop an effective Cloud computing strategy.

– It is clear that the CSP will face a large number of requests from its customers to prove that the CSP is secure and reliable. There a number of audit and compliance considerations for both the CSP and the customer to consider in cloud computing. First, which compliance framework should a CSP adopt to satisfy its customers and manage its own risks?

– Business Considerations. Business considerations include the overall organizational readiness for using cloud computing. Is the application owner willing and comfortable with a cloud platform?

– Change in technology and prices over time: what will billing units be like for the higher-level virtualization clouds?

– Have you considered that incident detection and response can be more complicated in a cloud-based environment?

– How will technology advancements in soa, virtualization and cloud computing further and enable saas adoption?

– There are issues relating to policy and access. if your data is stored abroad whose policy do you adhere to?

– Will the move to cloud computing shorten the time it takes to deliver functional enhancements to end users?

– Data segregation: will the financial institutions data share resources with data from other cloud clients?

– How do you prove data provenance in a cloud computing scenario when you are using shared resources?

– How can cloud stakeholders ensure and promote the security of Cloud computing?

– Will Cloud Computing replace traditional dedicated server hosting?

– Networks that are flexible, well-performing, and secure?

– What are the security concerns with cloud computing?

– What will cloud computing look like in 5 years?

– Is there a market for developing niche clouds?

– What problems does cloud computing solve?

– Defining terms: what is a cloud platform?

– How energy efficient is cloud computing?

– How not to be locked in a SaaS system?

– Cloud computing: could it cost more?

Cloud computing issues Critical Criteria:

Concentrate on Cloud computing issues projects and observe effective Cloud computing issues.

– How do mission and objectives affect the FedRAMP processes of our organization?

– Which FedRAMP goals are the most important?

– Have all basic functions of FedRAMP been defined?

Cybersecurity Critical Criteria:

Depict Cybersecurity management and gather Cybersecurity models .

– Describe your organizations policies and procedures governing risk generally and Cybersecurity risk specifically. How does senior management communicate and oversee these policies and procedures?

– Has your company conducted a Cybersecurity evaluation of key assets in concert with the National Cyber Security Division of the U.S. Department of Homeland Security (DHS)?

– Does your Cybersecurity plan include alternative methods for meeting critical functional responsibilities in the absence of IT or communication technology?

– How do you monitor your Cybersecurity posture on business IT systems and ICS systems and communicate status and needs to leadership?

– Does the company have equipment dependent on remote upgrades to firmware or software, or have plans to implement such systems?

– Do we maintain standards and expectations for downtime during the upgrade and replacement cycle?

– Is our organization doing any form of outreach or education on Cybersecurity Risk Management?

– Have logical and physical connections to key systems been evaluated and addressed?

– Has your Cybersecurity plan been reviewed in the last year and updated as needed?

– Do we appropriately integrate Cybersecurity risk into business risk?

– Is our Cybersecurity strategy aligned with our business objectives?

– Can I explain our corporate Cybersecurity strategy to others?

– Are our Cybersecurity capabilities efficient and effective?

– Has your system or websites availability been disrupted?

– Do you use contingency-driven consequence analysis?

– Why focus on Cybersecurity & resilience?

FIPS 199 Critical Criteria:

Collaborate on FIPS 199 management and define what our big hairy audacious FIPS 199 goal is.

– How likely is the current FedRAMP plan to come in on schedule or on budget?

– Have the types of risks that may impact FedRAMP been identified and analyzed?

– What threat is FedRAMP addressing?

Federal Information Security Management Act of 2002 Critical Criteria:

Group Federal Information Security Management Act of 2002 risks and track iterative Federal Information Security Management Act of 2002 results.

– What are the success criteria that will indicate that FedRAMP objectives have been met and the benefits delivered?

– Does the FedRAMP task fit the clients priorities?

GPRA Modernization Act of 2010 Critical Criteria:

Group GPRA Modernization Act of 2010 engagements and explore and align the progress in GPRA Modernization Act of 2010.

– What sources do you use to gather information for a FedRAMP study?

– Which individuals, teams or departments will be involved in FedRAMP?

– Is FedRAMP Required?

General Services Administration Critical Criteria:

Categorize General Services Administration governance and finalize the present value of growth of General Services Administration.

– Is FedRAMP Realistic, or are you setting yourself up for failure?

– How much does FedRAMP help?

National Institute of Standards and Technology Critical Criteria:

Chat re National Institute of Standards and Technology decisions and research ways can we become the National Institute of Standards and Technology company that would put us out of business.

– Do those selected for the FedRAMP team have a good general understanding of what FedRAMP is all about?

– When a FedRAMP manager recognizes a problem, what options are available?

– Are there FedRAMP problems defined?

Office of Management and Budget Critical Criteria:

Read up on Office of Management and Budget projects and probe using an integrated framework to make sure Office of Management and Budget is getting what it needs.

– What about FedRAMP Analysis of results?

– How do we go about Securing FedRAMP?

– How do we Lead with FedRAMP in Mind?

Software as a Service Critical Criteria:

Prioritize Software as a Service engagements and oversee Software as a Service management by competencies.

– What tools do you use once you have decided on a FedRAMP strategy and more importantly how do you choose?

– Why are Service Level Agreements a dying breed in the software as a service industry?

United States Department of Defense Critical Criteria:

Align United States Department of Defense projects and grade techniques for implementing United States Department of Defense controls.

– What are your most important goals for the strategic FedRAMP objectives?

– Is there any existing FedRAMP governance structure?

United States Department of Homeland Security Critical Criteria:

Pay attention to United States Department of Homeland Security outcomes and track iterative United States Department of Homeland Security results.

– Is the FedRAMP organization completing tasks effectively and efficiently?

– What are the usability implications of FedRAMP actions?

– Do we have past FedRAMP Successes?


This quick readiness checklist is a selected resource to help you move forward. Learn more about how to achieve comprehensive insights with the FedRAMP Self Assessment:


Author: Gerard Blokdijk

CEO at The Art of Service | theartofservice.com



Gerard is the CEO at The Art of Service. He has been providing information technology insights, talks, tools and products to organizations in a wide range of industries for over 25 years. Gerard is a widely recognized and respected information expert. Gerard founded The Art of Service consulting business in 2000. Gerard has authored numerous published books to date.

External links:

To address the criteria in this checklist, these selected resources are provided for sources of further research and information:

FedRAMP External links:


FedRAMP Tailored for Low-Impact Software- as-a …

Program Overview | FedRAMP

Chief Information Officer External links:

Title Chief Information Officer Jobs, Employment | Indeed.com

OMES: Chief Information Officer (CIO) – Home


Cloud computing External links:

AWS Cloud Computing Certification Program – aws.amazon.com

ClearDATA – Secure, HIPAA Compliant Cloud Computing

Microsoft Azure Cloud Computing Platform & Services

FIPS 199 External links:

[PDF]FIPS 199, Standards for Security Categorization of …


[PDF]FIPS 199: New Standards for Security Caal Information …

Federal Information Security Management Act of 2002 External links:

Federal Information Security Management Act of 2002 …

GPRA Modernization Act of 2010 External links:

H.R.2142 – GPRA Modernization Act of 2010 111th …


GPRA Modernization Act of 2010. (Book, 2011) …

General Services Administration External links:

US General Services Administration – Unauthorized …

GSA – U.S. General Services Administration | OfficeSupply…

National Institute of Standards and Technology External links:

National Institute of Standards and Technology – YouTube

Office of Management and Budget External links:

Procurement | ND Office of Management and Budget

Office Of Management And Budget | CIO.gov

Office of Management and Budget (OMB) – nyc.gov

Software as a Service External links:

What is SaaS? Software as a Service | Microsoft Azure

[PDF]Software as a Service (SaaS)

What is Software as a Service (SaaS) – Salesforce.com

United States Department of Defense External links:

United States Department of Defense – Official Site

[PDF]United States Department of Defense (DoD) DoD …

United States Department of Defense Standards of …