| 1 | | External | 3PAO | Time / Cost | No | Yes | Assessment - 3PAO Time & Cost | Total amount of time and overall cost it takes for a FedRAMP-recognized 3PAO to perform:
1. New Initial Assessment
2. Annual Assessment
3. Readiness Assessments | 1. Time & cost will vary depending on the size and scope of the assessment. |
| 2 | | External | CX Agency | Time / Cost | No | Yes | Initial Authorization - Agency Time & Cost | Total amount of time and the cost (resourcing) it takes for an agency to perform a review for a cloud service offering for an initial authorization. | 1. Tracking the amount of time agencies spend authorizing a product, and what might cause that timeline to increase or decrease, is important for the agency's customer experience - a challenge here is identifying when the clock begins and ends to make sure the metric is captured consistently across agencies.
2. Time & cost will vary depending on the size and scope of the assessment. Cost may be difficult to track for agencies who do not have a fee-for-service model.
3. FedRAMP encourages public feedback on how to best capture this metric accurately. |
| 3 | | External | CX Agency | Time / Cost | No | Yes | Reuse Authorization - Agency Time & Cost | Total amount of time and the cost for an agency to perform a review for a cloud service offering for a "reuse" authorization. | 1. Tracking reuse authorization time & cost against initial authorization time shows the value of using an already authorized product.
2. Time & cost will vary depending on system variables. Cost may be difficult to track for agencies who do not have a fee-for-service model.
3. FedRAMP encourages public feedback on how to best capture this metric accurately. |
| 4 | | External | CX Agency | Time / Cost | No | Yes | Continuous Monitoring - Agency Time & Cost | In cases where a single agency is responsible for all continuous monitoring activities of a CSO, this tracks the total overhead costs and time an agency takes on for their continuous monitoring responsibilities. | 1. This may vary depending on the level of review each agency does and be difficult to track for agencies who do not have a fee-for-service model.
2. Time & cost will vary depending on system variables. Cost may be difficult to track for agencies who do not have a fee-for-service model.
3. FedRAMP encourages public feedback on how to best capture this metric accurately. |
| 5 | | External | CX Agency | Time / Cost | No | Yes | Centralized Continuous Monitoring - Agency Time & Cost | In cases where FedRAMP has centralized ConMon for a CSO, this tracks the total overhead costs and time an agency takes on for their continuous monitoring responsibilities. | 1. This may vary depending on the level of review each agency does and be difficult to track for agencies who do not have a fee-for-service model.
2. Time & cost will vary depending on system variables.
3. FedRAMP encourages public feedback on how to best capture this metric accurately. |
| 6 | | External | CX Agency | Time / Cost | No | No | Direct Reuse of FedRAMP Authorized Products | Direct reuse is when an agency official uses pre-existing FedRAMP authorization artifacts, rather than conducting its own independent assessment of FedRAMP’s baseline security controls for a CSP for use of a cloud product.
This is the total number of authorizations represented by ATO/ATU letters on file with FedRAMP. | |
| 7 | | External | CX Agency | Time / Cost | No | No | Indirect Reliance of FedRAMP Authorized Products | Indirect reliance is when an agency authorizing official uses a cloud product that itself relies on an underlying FedRAMP Authorized product. | |
| 8 | | External | CX CSP | Time / Cost | No | No | CSP Documentation | Total amount of time and cost it takes a FedRAMP In Process CSP to document security controls
(SSP & attachments) | 1. Time will vary depending on multiple variables including: impact level, deployment model, type of service offering, number of contributors, etc...
2. FedRAMP encourages public feedback on how to best capture this metric accurately. |
| 9 | | External | CX CSP | Security | Yes | Yes | CSP Package Quality - Gap Areas | Most common gap areas FedRAMP identifies in packages each quarter
(ie. encryption, boundary diagram, data flow diagrams, DMARC, etc...)
Identifying these areas will help FedRAMP create Knowledge-Based Articles (KBAs) to focus on areas where guidance may be lacking. | |
| 10 | | External | CX CSP | Cost | No | No | Continuous Monitoring - Ongoing Product Maintenance | Measures the cost to a CSP in maintaining an active FedRAMP Authorization in the continuous monitoring phase
(ie. the annual assessment, dev, and security staff costs, monthly ConMon meetings, responding to data calls, et cetera) | |
| 11 | | Internal | Program Performance | Security | No | Yes | Package Resubmission | Number of times a CSP resubmits a package for FedRAMP review for the initial authorization | |
| 12 | | Internal | Program Performance | Time | Yes | Yes | FedRAMP Package Queue time | Overall time between when a full initial package is submitted to FedRAMP and the initial review is complete | |
| 13 | | Internal | Program Performance | Time | Yes | Yes | FedRAMP Package Review time | Overall time initial authorization package is in active review phase | |
| 14 | | Internal | Program Performance | Security | Yes | No | % of marketplace CSPs covered under Centralized Continuous Monitoring | CSPs that are covered under centralized continuous monitoring helping to measure growth of the number of CSPs who transition to centralized continuous monitoring | |
| 15 | | Internal | Program Performance | Security | Yes | No | % of marketplace CSPs meeting core security requirements | FedRAMP Authorized CSOs that are meeting core security requirements based on current POA&M and ConMon information excluding CSPs under active CAP remediation or suspended. | 1. This metric will only measure CSPs covered under centralized continuous monitoring. |
| 16 | | Internal | Program Performance | Security | No | No | % of systems meeting current package requirements | FedRAMP will provide a list of package requirements as part of the digital authorization process and this will measure the percentage of systems that meet all the requirements. | 1. This metric will be implemented in the future state for digital authorization packages. |
| 17 | | Internal | Program Performance | Security | No | Yes | % of systems transitioned to current 800-53 revision | This will track the % of systems that have transitioned from old 800-53 Revision to new
(currently Rev4--> Rev5) | |
| 18 | | Internal | Program Performance | Security | No | Yes | Number of incidents involving FedRAMP Authorized CSOs | Number of incidents that impacted FedRAMP Authorized CSOs within the year | |
| 19 | | Internal | Program Performance | Security | No | Yes | Type of incidents involving FedRAMP Authorized CSOs | Type of incidents that impacted FedRAMP Authorized CSOs within the year | |
| 20 | | External | Program Performance | Time | Yes | No | Authorization timeline for FedRAMP program authorizations | Time from SAR delivery to authorization for FedRAMP program authorizations | 1. This is a metric FedRAMP plans to capture once program authorization path is set up. |
| 21 | | Internal | Program Performance | Time | Yes | Yes | PMO Resubmission Duration | Duration between CSP re-submission and FedRAMP final review report submission | |
| 22 | | | | | | | | | |
| 23 | | | | | | | | | |
| 24 | | | | | | | | | |
| 25 | | | | | | | | | |
| 26 | | | | | | | | | |
| 27 | | | | | | | | | |
| 28 | | | | | | | | | |
| 29 | | | | | | | | | |
| 30 | | | | | | | | | |
| 31 | | | | | | | | | |