On November 2nd, the U.S. General Services Administration in coordination with the Federal Chief Information Officers Council released comprehensive requirements for the Federal Risk and Authorization Management Program, or FedRAMP, for public comment. This is a huge milestone in the governmentwide adoption of cloud computing services. The security authorizations and continuous monitoring of cloud systems that FedRAMP will provide can be used by agencies to streamline their security process while still providing highly effective security services. FedRamp allows agencies to make use of commonly accepted risk assessment and cyber security evaluation of cloud services. Joint authorizations of cloud providers will result in a common security risk model that can be leveraged across the federal government, ensuring a consistent baseline for cloud-based technologies.
"As part of the President’s Accountable Government Initiative, we are working to close the IT gap between the private and public sectors, and leverage technology to make government work harder, smarter, and faster for the American people,” …. By simplifying how agencies procure cloud-computing solutions, we are paving the way for more cost-effective and energy-efficient service delivery for the public, while reducing the federal government’s data center footprint." - Vivek Kundram, Federal CIO
The draft regulations released at the beginning of November warn that a FedRAMP authorization wouldn't free agencies from the responsibility of signing their own authorization to operate document when utilizing a FedRAMP approved cloud offering. Instead, a FedRAMP authorization would be a starting point for federal agencies "to review and potentially leverage," the document states. The first phase of FedRAMP should be operational in the first quarter of 2011.
GSA and the Federal CIO Council are seeking comments from federal agencies, vendors, and the public on this proposed set of common security configurations. The documents are available at www.FedRAMP.gov and comments will be accepted through 11:59 p.m. Eastern time on Thursday, Dec. 2. Two information sessions will be held during the comment period in Washington – one for government agencies, and one for vendors.
