HomeGuidesAPI ReferenceChangelogDiscussions
Log In


This page contains information to assist our customers with utilizing the Deviation feature in RegScale. It describes what it is, why you would use it, the benefits, and provides instructions on getting started.

What is it?

The deviation process in the Federal Risk and Authorization Management Program (FedRAMP) involves the identification and management of exceptions to standard security requirements for cloud service providers (CSPs) seeking authorization to operate (ATO) within the federal government. When a CSP cannot fully comply with specific FedRAMP security controls due to technical or business constraints, they may request a deviation from those controls. The deviation process typically involves submitting a detailed explanation of the non-compliant areas, proposed compensating controls or mitigations, and a risk analysis to the FedRAMP Joint Authorization Board (JAB) or an agency-specific authorizing official. The JAB or authorizing official then evaluates the deviation request, weighing the risks and potential impact on the system's security posture, before granting or denying the deviation. This process allows CSPs to address unique circumstances while maintaining an acceptable level of security for federal cloud deployments. The deviation feature in RegScale automates and simplifies the deviation process in FedRAMP.

What are the benefits and why would you use it?

The deviation feature offers the following benefits:

  • Provides strong ties to the Issues/Plan of Actions and Milestones (POAM) system to provide automated updates to maintain a deviation's lifecycle
  • Provides an intuitive user interface to create and justify a deviation
  • Integrates with the NIST National Vulnerability Database (NVD) and provides a Common Vulnerability Scoring System (CVSS) v3 calculator for assessing and mitigating risks of vulnerabilities
  • Automates exports into the FedRAMP required Deviation template in Excel

How do I use it?

  • Create a new issue or view an existing issue within RegScale
  • Ensure the Integration tab has a link to the CVE identifier to ensure the CVSS calculator is available
  • Select "Utilities" and click the Deviation option
  • Complete the tabbed form to create and justify a Deviation
  • Once all Deviations are complete, export the Deviation template for FedRAMP to submit with your continuous monitoring report