Feds Explain How FedRAMP Will Work

Implementation of Cloud Computing Initiative Will Be In Phases
Feds Explain How FedRAMP Will Work
A 47-page document that explains on how FedRAMP cloud computing initiative will work has been issued by the federal government.

The Federal Risk and Authorization Management Program is aimed to promote widespread adoption of secure cloud computing in the federal government, and the document identifies key processes including security risk assessment and authorization, third-party assessor accreditation and continuing assessment and authorization of the cloud service.

See Also: Live Discussion | The Toll of Identity Sprawl in the Complex Enterprise

The government says FedRAMP, when implemented, will ensure that cloud-based services have adequate information security, eliminate duplication of effort and reduce risk management costs and enable rapid and cost-effective procurement of information systems and services for federal agencies.

Under FedRAMP:

  • A cloud service provider would follow a process for provisional authorization and uses a third-party assessor to assess and review its security control implementations.
  • The provider furnishes documentation of test results in a completed assessment package to the FedRAMP project management office.
  • The security package is reviewed by FedRAMP's Joint Authorization Board and if a provider's system presents an acceptable level of risk, a provisional authorization is granted.

  • Agencies can then leverage the provisional authorizations and grant their own authorizations without conducting duplicative assessments.

The document also explains that cloud providers and agencies will share security-control-responsibilities, but at different levels, depending on the type of cloud computing platform being contracted.

Implementation of FedRAMP will be in phases, and the document describes the services that will be available when it becomes operational, most likely June.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.