The Federal Risk Authorization Management Program (FedRAMP) is launching a site to clear up the cloudy confusion of federal cloud compliance world. Â The site is fedRAMP.gov and it is intended for federal agencies and vendors of cloud based technologies and services. Â They will be getting away from the old site:Â http://cloud.cio.gov/fedramp
According to FedRAMP Director Matt Goodrich, Â “We’ll be focusing on reaching a broader audience and get into the agencies and vendors who haven’t quite grasped what FedRAMP is and how it benefits them. Â Using same message over and over again doesn’t work. At FedRAMP, we’ve been doing the same message for 2 1/2 years. We need to shake it up and say it again differently so we’re penetrating the different types of the market and agencies who haven’t quite gotten the message yet.” Â The site will feature a training program.
What is FedRAMP?
Federal Risk and Authorization Program (FedRAMP) is a risk management program for assessing and monitoring the security of cloud products and services.
FedRAMP focuses on 3 major areas of cloud security:
- Providing joint security assessments and authorizations based on a standardized baseline set of security controls
- Using approved Third Party Assessment Organizations to consistently evaluate a Cloud Service Provider’s ability to meet the security controls
- Coordinating continuous monitoring services
Why is FedRAMP needed?
The federal government is trying to get away from having each and every agency have their own homemade risk management process. Â They are trying to save cost and confusion by consolidating and streamlining FedRAMP and other risk management process.
Who does FedRAMP apply to?
FedRAMP PMO – Housed within GSA and responsible for operational management.
NIST – Maintains FISMA standards, and establishes technical standards.
Joint Authorization Board (JAB) – performs rigorous technical reviews of CSP authorization packages for FedRAMP compliance and grants the provisional ATO; members are the CIOs from the Department of Homeland Security (DHS), the General Services Administration (GSA), and the Department of Defense CIO Council; coordinates cross agency communications.
DHS – monitors and reports on security incidents and provides data for continuous monitoring.
Agencies – use the FedRAMP process when conducting risk assessments, security authorizations, and granting an ATO to a cloud service.
Third Party Assessment Organizations – perform initial and ongoing independent verification and validation of the security controls deployed within the Cloud Service Provider’s information system.
Cloud Service Providers – implement the security controls within their products and services needed to meet the security requirements outlined in FedRAMP.