If a cloud services provider (CSP) wishes to provide their services to a federal agency they must obtain authorization and approval from the Federal Risk and Authorization Management Program (FedRAMP). As more and more CSPs have entered the FedRAMP assessment process, there has been a push to help agencies and CSPs achieve FedRAMP authorization faster. Moreover, the Office of Management and Budget mandated starting June 5, 2014, that all CSPs must be FedRAMP approved or at least in the process of getting an authority to operate prior to contracting with federal agencies. In order to assist with these efforts, GSA recently unveiled a new category to its program for cloud systems proven “FedRAMP Ready.”
FedRAMP, administered by the General Services Administration (GSA), is a government-wide screening program that provides a standardized approach for assessing and monitoring the security of contractor cloud products and services. FedRAMP was first launched back in 2012 as a follow-on to the government’s “Cloud First” strategy, which sought to save money by consolidating agencies’ servers and mandating data storage to the cloud. The goal of FedRAMP is to reduce time and money that individual agencies would otherwise have to spend on assessing a cloud provider’s security. Prior to FedRAMP, each agency conducted its own risk assessment for each procured cloud service, which led to multiple and redundant security assessments for identical services. The lead agencies for FedRAMP are the GSA, Department of Defense, and Department of Homeland Security. Representatives from those three agencies make up the FedRAMP Joint Authorization Board, which performs risk authorizations and grants the provisional FedRAMP authorization for specific cloud services and products. Once a vendor has demonstrated compliance with FedRAMP standards, they can provide their cloud services to any federal government agency. Upon receipt of a provisional authorization to operate, the FedRAMP Project Management Office will add the vendor to the list of authorized cloud service providers on www.FedRAMP.gov.
GSA recently unveiled its newest category for FedRAMP showcasing CSPs ready to perform assessments and authorizations with potential agency customers. This new category was created to enable contractors to get their security systems certified and for federal agencies to achieve FedRAMP compliancy more quickly. “FedRAMP Ready” designations will be granted to systems that have had their documentation reviewed by the FedRAMP program management office and at a minimum have gone through the PMO readiness review process. According to the cloud.cio.gov website, “FedRAMP Ready systems allow potential agency customers and authorizing officials a starting point to initiate an authorization. Systems with more complete documentation or assessments by an accredited 3PAO will allow potential agency customers and authorizing officials to go through the assessment and authorization process more rapidly to become FedRAMP compliant.” Not all systems in this category will be a CSP, the FedRAMP Ready system will also accommodate open source code agencies deploy for their cloud solutions.