What’s New With FedRAMP
The program, run by the General Services Administration (GSA) with oversight from The White House Office of Management and Budget (OMB), established a government-wide baseline for security assessment, authorization and continuous monitoring of cloud products leveraged by agencies and their systems integrators.
Living up to the program’s “crawl-walk-run” philosophy, 38 cloud systems have since earned FedRAMP compliance, primarily through the Joint Authorization Board (JAB) or an agency authorized to operate (ATO), with an additional small group that has been assessed and approved by an accredited third-party assessment organization (3PAO).
Here is the breakdown of the three paths to authorization:
1. JAB Provisional Authorizations
These 18 cloud systems, including VMware vCloud® Government Service provided by Carpathia™ (IaaS), underwent a meticulous technical review by the FedRAMP PMO, were assessed by a FedRAMP accredited 3PAO and received a P-ATO from the U.S. Department of Homeland Security, Department of Defense and the GSA CIO.
“FedRAMP is pleased to see the VMware and Carpathia partnership and commitment to meeting the rigorous documentation and security requirements of FedRAMP,” says FedRAMP director Matt Goodrich. “This includes not only an initial authorization, but ongoing continuous monitoring, reporting, and remediation work required to maintain a secure environment that advances cloud as an extremely viable and secure IT infrastructure service for the Government marketplace.”
2. Agency FedRAMP Authorizations
These 17 cloud systems worked directly with a customer agency to achieve a FedRAMP compliant ATO that has been verified by the FedRAMP PMO.
3. CSP Supplied Packages
These three cloud systems, including QTS Federal Cloud (IaaS), completed a Security Assessment Package (SAP) that was assessed and approved by a FedRAMP accredited 3PAO.
Regardless of the path a cloud system has taken to achieve compliance, the FedRAMP seal of approval can be seen as a golden ticket for agency cloud adoption. Goodrich says certification is an important advancement in removing barriers to cloud adoption across the government.
However, Goodrich and the GSA are quick to point out that it’s not the only factor agencies need to consider when evaluating potential cloud service providers. To help clarify the program’s viewpoint, especially in light of GSA’s Stan Kaczmarczyk’s comments at the 1105 Government Information Group’s conference in June, FedRAMP’s PMO is working to finalize procurement guidelines for agencies based loosely off the modular IT guidance through OMB.
The procurement guidelines are an example of FedRAMP’s recent push to enhance the awareness of and user experience with the program. A new FedRAMP website launched in the spring of 2015 complete with a free Blackboard e-course, “Introduction to FedRAMP and the Cloud Service Provider (CSP) Readiness Process,” plus a wealth of bite sized program-related information in the form of guides, newsletters, FAQs and weekly tips and cues.
“Coming into the security process for any vendor is very difficult. And for many of the agencies, getting into the cloud is a little scary because it’s definitely a different way of using IT services,” Goodrich said in a February interview with Federal Times. “So as we have those lessons-learned, why don’t we just share those and make sure it’s out there in a way that people can do it at their own speed?”
This month, FedRAMP is expected to unveil their second online training course, which is mandatory for System Security Plan (SSP) submission. The e-module, “FedRAMP System Security Plan (SSP) Required Documents,” will familiarize agencies and system integrators with the required documentation for initial package submission. Bookmark the FedRAMP training page for updates on the course offering.
In the meantime, download our eBrief, “Using FedRAMP to Navigate the Cloud,” to learn how to speed up cloud computing acquisition at your agency.