The Federal Risk Authorization Management Program (FedRAMP) is launching a site to clear up the cloudy confusion of federal cloud compliance world. The site is fedRAMP.gov and it is intended for federal agencies and vendors of cloud based technologies and services. They will be getting away from the old site: http://cloud.cio.gov/fedramp
According to FedRAMP Director Matt Goodrich, “We’ll be focusing on reaching a broader audience and get into the agencies and vendors who haven’t quite grasped what FedRAMP is and how it benefits them. Using same message over and over again doesn’t work. At FedRAMP, we’ve been doing the same message for 2 1/2 years. We need to shake it up and say it again differently so we’re penetrating the different types of the market and agencies who haven’t quite gotten the message yet.” The site will feature a training program.
What is FedRAMP?
Federal Risk and Authorization Program (FedRAMP) is a risk management program for assessing and monitoring the security of cloud products and services.
FedRAMP focuses on 3 major areas of cloud security:
- Providing joint security assessments and authorizations based on a standardized baseline set of security controls
- Using approved Third Party Assessment Organizations to consistently evaluate a Cloud Service Provider’s ability to meet the security controls
- Coordinating continuous monitoring services
Why is FedRAMP needed?
The federal government is trying to get away from having each and every agency have their own homemade risk management process. They are trying to save cost and confusion by consolidating and streamlining FedRAMP and other risk management process.
Who does FedRAMP apply to?
FedRAMP PMO – Housed within GSA and responsible for operational management.
NIST – Maintains FISMA standards, and establishes technical standards.
Joint Authorization Board (JAB) – performs rigorous technical reviews of CSP authorization packages for FedRAMP compliance and grants the provisional ATO; members are the CIOs from the Department of Homeland Security (DHS), the General Services Administration (GSA), and the Department of Defense CIO Council; coordinates cross agency communications.
DHS – monitors and reports on security incidents and provides data for continuous monitoring.
Agencies – use the FedRAMP process when conducting risk assessments, security authorizations, and granting an ATO to a cloud service.
Third Party Assessment Organizations – perform initial and ongoing independent verification and validation of the security controls deployed within the Cloud Service Provider’s information system.
Cloud Service Providers – implement the security controls within their products and services needed to meet the security requirements outlined in FedRAMP.