Last week, the federal risk and authorization management program (FedRAMP) office started taking applications from cloud service providers (CSPs) who want to attain security accreditations. This is the next step in a process that many of us have been following for the past 18 months. But what does this mean?
According to the FedRAMP website (found at http://www.gsa.gov/portal/category/102371):
“The FedRAMP assessment process is initiated by agencies or CSPs beginning a security authorization using the FedRAMP requirements which are FISMA compliant and based on the NIST 800-53 rev3 and initiating work with the FedRAMP PMO.”
In reality this is a simple three-step process:
- CSPs can apply for the FedRAMP security accreditation by filling out an application that documents their security practices, and submitting it to the JAB (joint authorization board).
- A 3PAO (third party assessment organization) is hired by the CSP to validate and test that these security controls are in place and adequate. After these requirements are met, documented and submitted to FedRAMP, the JAB grants a provisional ATO (authority to operate).
- Once an authorization is granted, ongoing assessment and authorization activities must be maintained (by the 3PAO) in order to keep the security authorization.
The FedRAMP office is really doing a great job of standardizing the security requirements of CSPs (both commercial and government operated, by the way). This process will better assist government agencies in their bid to migrate various services to all types of cloud providers – meaning that your agency will not have to “reinvent the wheel” when it comes to ensuring security requirements are met. Maybe even more importantly it means that a process of continual monitoring and improvement is in place so you can feel assured that your data is safe with your chosen provider!
Thanks for reading. Follow me on twitter at (@GTSI_CTO)