FedRAMP has No Citizenship Requirements

FedRAMP has no US citizenship/persons requirements. Learn why this is important and how it relates to export controlled information.

https://cdn.grcacademy.io/web/20230520021409/fedramp.gov-featured-image_1920x1080.jpg

Founder @ GRC Academy | December 7, 2022 ยท 2 min read

Someone on the fedramp.gov website.
Someone on the fedramp.gov website.

This may surprise you, but FedRAMP does not have any US citizenship / US persons requirements.

FedRAMP is a federal program that standardizes federal security requirements for cloud service providers (CSPs). Federal agencies can leverage the CSP’s FedRAMP authorization package which makes it much easier for CSPs to work with the federal government.

You can learn more about FedRAMP by watching the “FedRAMP Overview” video below from our CMMC Overview Training for Small and Medium Businesses (SMBs).

DFARS 252.204-7012 states that cloud systems which the contractor uses to store, process, or transmit DoD CUI must meet security requirements “equivalent” to the FedRAMP-moderate baseline.

This may cause some to believe that a FedRAMP-moderate authorization checks all of the required boxes. It does NOT. If you possess export-controlled information such as International Traffic in Arms Regulations (ITAR), YOU are responsible for ensuring the CSP is staffed by US persons.

We reached out to the FedRAMP office to verify that the there are no US citizenship / US person requirements, and this was the response:

Email from the FedRAMP office stating that FedRAMP has no citizenship requirements.
Email from the FedRAMP office stating that FedRAMP has no citizenship requirements.

The FedRAMP FAQ page alludes to FedRAMP’s lack of citizenship requirements:

Q: What does FedRAMP require for personnel screening requirements from Cloud Service Providers (CSPs)?

A: FedRAMP requires CSPs to describe their organizationโ€™s personnel screening requirements. If an agency has requirements for federal background investigations, or additional screening and/or citizenship and physical location (e.g., U.S. citizens in Continental United States [CONUS] offices only), then those requirements would need to be specified in the solicitation language, which may affect bid pricing.

The FedRAMP office posted a much more direct response on GitHub:

Thank you for your question. As with all FedRAMP authorizations, FedRAMP Tailored does not specify a citizenship requirement as there is no government-wide requirement on citizenship. The only requirement is for the CSP to perform background checks, and the CSP has the freedom to determine exactly what background checks are performed. While a CSP may have non-US persons supporting their system and can still achieve an ATO with some agencies, there are several agencies that maintain their own citizenship requirements. In other words, a CSP using non-US persons is still FedRAMP compliant, but will find their market limited among Federal agencies.

We had an interesting discussion regarding this topic on LinkedIn. A gentleman stated that US citizenship was an early requirement for FedRAMP, but GSA decided to remove it.

We hope that this helps you! If you have any questions, please contact us.

CMMC Training

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!