FedRAMP, the Federal Risk and Authorization Program, is a risk management program aimed at assessing the security of cloud computing products and services, building security consistency across federal cloud computing platforms, reducing duplicative efforts, and reducing cost inefficiencies.
In establishing FedRAMP, the federal government intended to help support and increase the adoption of cloud computing services by giving cloud service providers (CSPs) a single accreditation to be used by all agencies. Here’s what you should know about the program:
- Your agency saves money, time, and resources that would go toward evaluating the wide range of CSPs when it chooses a FedRAMP provider.
- OMB states that all agencies must “use FedRAMP when conducting risk assessments, security authorizations, and granting ATOs [Authority to Operate] for all Executive department or agency use of cloud services.”
- FedRAMP certifications are based on security requirements that federal departments and agencies have agreed to, and they are difficult to obtain. The goal is to reduce the certification timeframe to no more than an average of six months.
- By choosing a FedRAMP provider, much of the onus is on the vendor, not the agency to ensure information security.
- Even vendors that are providing a product of which only a small portion is cloud-based must be FedRAMP certified.
- To keep certification from year to year, FedRAMP vendors are required to consistently assess and monitor security controls, and demonstrate that they remain acceptable.
- Some agencies require potential vendors to be FedRAMP complaint before submitting a bid; GSA’s Kathy Conrad believes such a policy is “inappropriate and unduly restrictive.”
- A training module is being developed this year to help agency procurement officials learn about the FedRAMP program.
- Those heading the current FedRAMP review hope that the coming changes will encourage FedRAMP agency liaisons to be more collaborative and share data to help OMB gain a better understanding of where the government as a whole is with FedRAMP use and implementation.
- According to Matthew Goodrich, director of the FedRAMP program, by November 2014, the government had saved $40 million by placing 160 business systems in FedRAMP-authorized cloud systems, rather than authorizing each of those systems individually.
- By late last year, agencies were 25 to 40 percent compliant with FedRAMP.
Want more? Read our recent interview with Matthew Goodrich, Director of FedRAMP in the General Services Administration.
Leave a Reply
You must be logged in to post a comment.