Looking to expedite the adoption of cloud computing throughout the federal government, United States Federal CIO Steven VanRoekel announced the creation of the Federal Risk and Authorization Management Program (FedRAMP) on Thursday, Dec., 8, in a memo to federal agency CIOs.
The program will deliver a cost-effective, risk-based approach for the adoption and use of cloud services. Operating under a “do once, use many times” framework, federal officials believe that FedRAMP will save cost, time and staff required to conduct security assessments for federal departments to make the jump to the cloud.
The program is also designed to foster relationships between agencies and cloud security providers. Services FedRAMP will provide federal agencies include:
- standardized security requirements for the authorization and ongoing cybersecurity of cloud services for selected information system impact levels;
- a conformity assessment program capable of producing consistent independent, third-party assessments of security controls implemented by cloud security providers;
- authorization packages of cloud services reviewed by a Joint Authorization Board consisting of security experts from the Department of Homeland Security, Department of Defense and General Services Administration;
- standardized contract language to help executive departments and agencies integrate FedRAMP requirements and best practices into acquisition; and
- a repository of authorization packages for cloud services that can be leveraged governmentwide.
“FedRAMP will enable the federal government to accelerate the adoption of cloud computing by creating transparent standards and processes for security authorizations and allowing agencies to leverage security authorizations on a governmentwide scale,” said VanRoekel in the memo.
“Federal agencies adopting the cloud is inevitable,” said Jennifer Kerber, vice president of Federal Homeland Security Policy for TechAmerica, a U.S. technology advocacy organization, in a statement. “The only question is if it will be done in a secure or insecure fashion. The FedRAMP program could be the game-changer in this equation.”
The program is expected to begin within 180 days. More information is available on the General Services Administration’s FedRAMP Web page.