The Reality of FedRAMP 2014 is Here!
If you are an IT government contractor – this is for you! Cloud Service Providers (CSPs) are required to be FedRAMP certified by June 2014. Current deployments of cloud-based services in use by Federal agencies must be compliant with FedRAMP guidelines by June 2014. Commercial providers that offered cloud-based services to the Federal government or in the acquisition process prior to June 5, 2012, must have a FedRAMP P-ATO. Government agencies have to move one system to a cloud provider within 12 months of project start, and two more systems within 18 months of launch, by the end of 2015.
FedRAMP is the federal security authorization process for CSPs which standardizes the cloud risk assessment process for every Federal agency. There are currently only nine authorized CSPs, but that number is expected to grow as the deadline approaches. In March of 2012 the Office of Management and Budget (OMB) initiated PortfolioStat, which authorized OMB to monitor Federal agencies IT portfolio for non-compliant CSPs. After the June 2014 deadline, agencies that are still working with non-compliant CSPs will be subject to a complete IT portfolio review by OMB.
Implementing FedRAMP is a complex task, and does not fit the “check-the-box” standard form process. This is a process that requires not only time and resources, but a “buy-in” from the management team. While the process is daunting, the enforcement of FedRAMP will open a whole new market for CSPs and agencies. However, the current challenge for CSPs is the clock that is ticking away closer and closer toward the June 2014 deadline. For any CSP considering FedRAMP, be aware that this process takes a minimum of six months which is why it is pertinent that you begin the process now.
Important Steps when considering FedRAMP:
- Review and download documents related to FedRAMP
- Create a project plan for your FedRAMP compliance process
- Determine environments security level
- Submit a FedRAMP Initiation Request or obtain an agency sponsor
- Compile policies, risk assessments, and internal and external security assessments
- Map your environments inventory, boundaries, and existing controls to FedRAMP requirements Work with a Third Party Assessment Organization (3PAO)
For more information on the FedRAMP deadline and how to start the certification process, contact us for help!
About Kevin Lancaster
Kevin Lancaster leads Winvale’s corporate growth strategies in both the commercial and government markets. He develops and drives solutions to meet Winvale’s business goals while enabling an operating model to help staff identify and respond to emerging trends that affect both Winvale and the clients it serves. He is integrally involved in all aspects of managing the firm’s operations and workforce, leading efforts to improve productivity, profitability, and customer satisfaction.