FedRAMP has been in the news a lot these days. Why is it getting buzz and how does it affect your agency? Here’s a quick summary and resources on how to learn more.
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standard approach to security assessment, authorization, and continuous monitoring for cloud products and services.
What’s the purpose of FedRAMP?
- Establish a uniform risk management-based approach to security for cloud services
- Eliminate duplication of cost and effort by conducting security assessments in accordance with a standard set of controls and templates that can be leveraged across agencies
- Lower barriers to adopting cloud computing services by selecting a set of FISMA security controls and providing guidance on how to apply them to cloud services
- Provide a repository of documents that support authorizations to operate (ATOs) that agencies can leverage in accrediting cloud services for use in their technical environment.
What’s the end result?
- Simplified cloud security and a more transparent role for government
- Less duplication and more efficient process for creating a secure cloud environment for agencies.
How does the process work?
There are several key stakeholders that make FedRAMP work:
- The Department of Homeland Security, The Department of Defense, and the General Services Administration make up the Joint Authorization Board (JAB), which grants the provisional ATO used by agencies.
- Cloud service providers apply for FedRAMP accreditation. They must, at a minimum, use the established set of controls, templates, and an independent third party assessor.
- Independent third party assessors provide an evaluation of the cloud service provider’s ability to mitgate risks and validates testing and compliance.
If your agency hasn’t yet moved to the cloud or would benefit from FedRAMP, check out fedramp.gov to learn more. You can also find out how to get your cloud service provider approved and to see a list of accredited third party cloud operators.
This post was drafted by Kelsey Parkman, a User Web Content Intern at GSA’s Center For Excellence in Digital Government.
3 comments
Jason says:
July 22, 2012 at 6:22 am (UTC -5 )
I certainly support regulation on cloud storage providers, this will set legal framework for clouds to be accountable for data security and lost data.
Oyun Sokağı says:
July 21, 2012 at 8:41 am (UTC -5 )
“Provide a repository of documents that support authorizations to operate (ATOs) that agencies can leverage in accrediting cloud services for use in their technical environment.” that will be hard due to hard implementation…
Dave says:
July 13, 2012 at 2:06 am (UTC -5 )
Very good point mention that cloud service providers apply for FedRAMP accreditation. and Independent third party assessors provide an evaluation of the cloud service provider’s ability to mitgate risks and validates testing and compliance.