Feds Explain How FedRAMP Will WorkImplementation of Cloud Computing Initiative Will Be In Phases
The Federal Risk and Authorization Management Program is aimed to promote widespread adoption of secure cloud computing in the federal government, and the document identifies key processes including security risk assessment and authorization, third-party assessor accreditation and continuing assessment and authorization of the cloud service.
The government says FedRAMP, when implemented, will ensure that cloud-based services have adequate information security, eliminate duplication of effort and reduce risk management costs and enable rapid and cost-effective procurement of information systems and services for federal agencies.
- A cloud service provider would follow a process for provisional authorization and uses a third-party assessor to assess and review its security control implementations.
- The provider furnishes documentation of test results in a completed assessment package to the FedRAMP project management office.
- The security package is reviewed by FedRAMP's Joint Authorization Board and if a provider's system presents an acceptable level of risk, a provisional authorization is granted.
- Agencies can then leverage the provisional authorizations and grant their own authorizations without conducting duplicative assessments.
The document also explains that cloud providers and agencies will share security-control-responsibilities, but at different levels, depending on the type of cloud computing platform being contracted.
Implementation of FedRAMP will be in phases, and the document describes the services that will be available when it becomes operational, most likely June.