In a December 2011 memorandum from Steven VanRoekel, US Chief Information Officer in the Executive Office of the President, to federal agency CIOs, the Federal Risk and Authorization Management Program (FedRAMP) was introduced.
The memo stated FedRAMP was intended to provide a cost-effective, risk-based approach for the adoption and use of cloud services by federal agencies.
FedRAMP’s director recently provided an overview and update on the program for anyone who is not familiar with it.
Matt Goodrich is the director for FedRAMP in the General Services Administration’s (GSA) Office of Citizen Services and Innovative Technologies (OCSIT).
Goodrich has worked on FedRAMP as part of the Federal Cloud Computing Initiative since August of 2009. In this role, he manages the FedRAMP Program Management Office (PMO) and sets the overall direction of the program. As a mandatory federal-wide initiative, FedRAMP is one of the leading cloud computing security programs paving the way for cloud adoption and ensuring the security of cloud computing solutions used by the US government.
Goodrich shared the following:
Any system the federal government wants to use has to demonstrate it can provide the right level of security to protect federal data — this is required by law (the eGov Act of 2002, a.k.a. the Federal Information Security Management Act (FISMA)), as well as White House policies and circulars. When the government wants to use cloud systems, the White House requires agencies to follow FedRAMP requirements and processes to demonstrate compliance with those laws and ensure a cloud service has the appropriate security.
FedRAMP is mandatory for all federal agencies. All CFO Act federal agencies are currently participating. For those which are actively working with cloud providers through authorizations, these can all be found on the FedRAMP marketplace. For Cloud Service Providers (CSPs) who are compliant, there is a listing of all agencies who have granted security authorizations listed under each CSP. For CSPs in progress, it lists the agency that is currently working with the CSP as well.
FedRAMP is currently working to establish a baseline of use of cloud systems across the US government that will provide for more accurate statistics of cloud use. The first iteration of that baseline is expected in the next few months.
FedRAMP has 3 full time federal employees. The FedRAMP Program Management Office (PMO) also has contract support provided by Noblis, with a security team, operations team and quality management team. Currently, the FedRAMP PMO is around 20 people. The FedRAMP Joint Authorization Board agencies (Departments of Defense and Homeland Security and GSA) also support FedRAMP with about another 15 people.
According to the FedRAMP website, federal agencies engage with Cloud Service Providers independent assessors and the FedRAMP PMO to meet FedRAMP requirements.
All 3 PAOs (independent assessors) are listed on the FedRAMP marketplace on FedRAMP.gov
The 3 PAOs are also listed on the Cybersecurity 500 list of the world’s hottest and most innovative cybersecurity companies:
- Booz Allen;
- MindPoint Group; and
- Veris Group
For more information about FedRAMP, go to http://www.fedramp.gov
Steve Morgan is founder and CEO of Cybersecurity Ventures and editor-in-chief of Cybersecurity Market Report and the Cybersecurity 500 list of the world’s hottest, most innovative cybersecurity companies.