Federal officials launch FedRAMP

Tools

Federal officials announced Dec. 8 the launch of FedRAMP, an effort for low- and moderate- risk cloud services to gain common cybersecurity certification under the Federal Information Security Management Act.

In a call with reporters, Federal Chief Information Officer Steven VanRoekel said FedRAMP should cause the government to collectively save 30 to 40 percent of money spent on authorizing and accrediting cloud services to operate on federal networks.

FedRAMP will permit cloud services to attain a "provisional" authorization that agencies can use when granting cloud services authority to operate. According to a VanRoekel memo (.pdf), also dated Dec. 8, agencies will have to (the memo uses the word "shall") use FedRAMP when conducting their own risk assessments.

The standardized baseline of security requirements isn't available yet, but it should be within 30 days, the memo says.

During the press call, Richard Spires, chief information officer of the Homeland Security Department, said he estimates that FedRAMP will address up to 90 percent of agencies FISMA requirements.  

FedRAMP will have at its apex a joint authorization board with permanent membership from the Defense Department, DHS and the General Services Administration. The board will regularly update FedRAMP security requirements and certify third party assessment organizations who will conduct the actual assessments of whether cloud services meet FedRAMP standards.

Within GSA, a program management office is being set up under the office of citizen services and communications, said Dave McClure, who heads up that office. "We're going to be troubleshooters and make the process work," he said.

Most federal agencies will want to make use of FedRAMP voluntarily, Spires said, even though they remain responsible for issuing ATOs for their own networks, the existence of FedRAMP notwithstanding.

"As CIOs, we're just paying too much for all this [certification and accreditation] kind of work we do in security, and we're looking for ways to streamline this," he said.

For more:
- listen to the FedRAMP press call
- download VanRoekel's Dec. 8 memo (.pdf)

Related Articles: 
GSA official: Agencies will likely customize FedRAMP 
Federal agencies uncertain how to respond to 'cloud first'