The Federal Information Security Management Act of 2002 (FISMA) is a United States federal law that requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by third partys such as a cloud service provider. The act recognized the importance of information security to the economic and national security interests of the United States.
The Federal Risk Authorization Management Program (FedRAMP) refers to a United States (US) government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP applies to US federal, state, and local governments, and federally funded research and development centers.
Both FedRAMP and FISMA use the NIST SP 800-53 security controls. The FedRAMP security controls are based on NIST SP 800-53 Rev. 4 baselines and contain controls above the NIST baseline that address the unique elements of cloud computing.