Comparative Review Of FedRAMP And ISM | Sekuro

Comparative Review of FedRAMP and ISM

As an IRAP (InfoSec Registered Assessors Program) assessor and GRC (Governance, Risk, and Compliance) analyst at Sekuro, my role involves a daily deep dive into the intricacies of cloud security frameworks and their implications for our operations. In this article, I will provide a comparison between the Federal Risk and Authorisation Management Program (FedRAMP) in the United States and the Information Security Manual (ISM) controls under the IRAP program in Australia.   

This analysis of FedRAMP vs ISM will not only highlight the processes behind these programs but also explore the opportunities for streamlining requirements to enhance efficiency and reduce duplication of effort. 

FedRAMP: A Deep Dive into the U.S. Cloud Security Framework

FedRAMP is a critical component of the U.S. government’s approach to cloud security. It is a government-wide program designed to ensure that cloud services used by federal agencies meet stringent security requirements. The process is initiated when a Cloud Service Provider (CSP) expresses interest in serving the federal government. This marks the beginning of a multi-step process that includes: 

  • Preparation: The CSP must conduct a thorough security assessment and document the security measures in place for their cloud service. This involves creating a System Security Plan (SSP) that outlines how the CSP manages security controls. 
  • Assessment: A third-party assessment organisation (3PAO) conducts a comprehensive security assessment to ensure that the CSP meets the FedRAMP requirements. This includes testing the security implementations and reviewing the documentation. 
  • Authorisation: The FedRAMP Program Management Office (PMO) reviews the assessment results. If the CSP meets all requirements, the PMO issues an Authority to Operate (ATO), which is a formal declaration that the cloud service is authorised for use by federal agencies. 
  • Continuous Monitoring: To maintain the ATO, the CSP must engage in continuous monitoring of their security posture. This includes regular reporting and updates to the FedRAMP PMO to ensure ongoing compliance with the security requirements. 

IRAP: Understanding the Australian Government’s Cloud Security Protocol

Comparative Review of FedRAMP and ISM | Sekuro

The IRAP program is the Australian Government’s counterpart to FedRAMP, focusing on the security of cloud services used by Australian Government entities. The ACSC who maintains and publishes the ISM does not certify any cloud service for use by the Government. Consumers are relied upon to review the information provided by the CSP and take a risk-based approach when selecting the provider that is right for them. As IRAP is not a certification process, CSPs do not comply with the ISM per se but rather align with its recommendations. The IRAP process involves: 

  • Engagement: Organisations must engage with an accredited IRAP assessor who will evaluate the security of their cloud services. This is a critical step in ensuring that the services meet the Australian Government’s security expectations.
  • Assessment: The IRAP assessor conducts a detailed assessment against the controls outlined in the Australian Government Information Security Manual (ISM). This manual provides a comprehensive set of security controls that are designed to protect government information and systems. 
  • Reporting: After the assessment, the IRAP assessor provides a detailed report that outlines the security posture of the cloud service and identifies any risks that were discovered during the assessment.
  • Recommendations: The assessor may also provide recommendations for improving the security of the cloud service. These recommendations are invaluable for organisations looking to enhance their security measures.
  • Authorisation: Using the assessment report, organisations seek authorisation from the Australian Government to operate their cloud service. This authorisation is essential for providing cloud services to government entities in Australia.  

Comparing FedRAMP and IRAP: Identifying Differences and Opportunities

While FedRAMP and IRAP serve similar purposes, there are notable differences between the two programs: 

  • Geographical Scope: FedRAMP is specific to the United States, while IRAP is specific to Australia. This geographical distinction is important for organisations operating in multiple jurisdictions.
  • Regulatory Environment: FedRAMP aligns with the requirements of the U.S. Federal Government, while IRAP aligns with the requirements of the Australian Government. Understanding these different regulatory environments is crucial for compliance.
  • Assessment Framework: FedRAMP assessments are based on the standards set by the National Institute of Standards and Technology (NIST), whereas IRAP assessments are based on the Australian Government ISM.
  • Authorisation Process: Both programs involve an authorisation process, but the criteria and processes differ based on the respective regulatory frameworks.
Comparative Review of FedRAMP and ISM | Sekuro

Despite these differences, there are several areas where organisations can leverage one program to streamline compliance with the other: 

  • Alignment of Controls: Many of the controls and requirements specified in FedRAMP have counterparts in the IRAP program. Organisations can demonstrate alignment between the two sets of controls to meet the requirements of both programs.
  • Assessment Methodologies: The methodologies used for conducting security assessments in both programs are similar. Organisations can leverage the expertise and experience gained from one assessment process to streamline the execution of the other.
  • Documentation: The documentation required for FedRAMP and IRAP assessments often overlaps. Organisations can reuse and tailor the documentation prepared for one assessment to meet the requirements of the other, thus reducing duplication of effort.

Streamlining Assessments: A Strategic Approach

By thoroughly understanding the processes and requirements of both FedRAMP and IRAP, organisations can strategically align their efforts. This alignment not only enhances efficiency but also ensures a robust security posture for cloud services. Leveraging the similarities between these programs allows organisations to effectively navigate the complex landscape, while achieving compliance with the U.S. FedRAMP program and alignment with the recommendations outlined in the Australian Government’s ISM.


In conclusion, streamlining requirements with FedRAMP and IRAP not only optimises cloud security compliance efforts, but also positions organisations to confidently expand their operations across these two significant markets. These frameworks are not to be feared but rather embraced, and having to meet both sets of requirements does not have to feel like a doubling up of work effort. 

As a GRC consultant and IRAP assessor at Sekuro, I advocate for a proactive approach to understanding and harmonising these two frameworks. This should be recognised as an opportunity to bolster your global cloud security strategy and gain a further competitive edge, as is the case with many of our SaaS clients who aim to continue leading in their respective markets.

Learn how Sekuro can assist you with your GRC and IRAP needs.

Rob Lowe
Rob Lowe

GRC Specialist & IRAP Assessor, Sekuro

Scroll to Top