First FedRAMP provisional cloud security authorization goes to N.C. small business


A Cary, N.C.-based small business has received the first Federal Risk and Authorization Management Program provisional cloud security authorization from the FedRAMP Joint Authorization Board, says a General Services Administration press release.

Autonomic Resources LLC, which provides infrastructure-as-a-service capabilities to federal agencies, got the approval from the JAB, comprised of Defense Department, GSA and Homeland Security chief information officers.

FedRAMP establishes a standard approach to assessing and authorizing cloud computing services and defines requirements for the continuous auditing and monitoring of cloud computing providers. Commercial cloud services that meet FedRAMP control levels support moderate-risk data and information.

By adopting what GSA calls a "do once, use many times" framework, the federal government can eliminate redundant agency security assessments. The Office of Management and Budget issued a "cloud first" policy in December 2010, requiring agencies to implement cloud-based solutions whenever a secure, reliable and cost-effective cloud option exists.

To receive the provisional authorization, Autonomic Resources had to document and fully implement the FedRAMP security controls on its cloud services offerings. In addition, the small business had an independent FedRAMP-accredited third party audit its system implementations.

As a result, Autonomic Resources' IAAS offering is provisionally authorized to securely contain federal information at a "moderate" Federal Information Security Management Act level of security. This moderate-risk level requires additional information assurance safeguards to mitigate the risks. In early 2013, the FedRAMP JAB is expected to approve other cloud security authorizations, GSA says.

For more:
-read the GSA press release

Related Articles:
FedRAMP begins application process
Survey: Cloud migration slow but possibly more confident
Spotlight: FedRAMP accredits third-party assessment organizations