From: FCW
By Christina McGhee
The Federal Risk and Authorization Management Program provides a standardized approach to security assessments, authorizations and continuous monitoring for cloud products and services. FedRAMP is meant to replace the current process by which agencies assess low- and moderate-baseline third-party cloud service providers (CSPs) prior to procurement. Before FedRAMP, individual agencies managed their own assessment methodologies following guidance loosely set by the Federal Information Security Management Act of 2002.
FedRAMP has overhauled the cloud service procurement process for civilian agencies, and it is also changing how the Defense Department assesses the security of its cloud services prior to procurement.
***
CSPs must implement and document the additional controls and enhancements for assessment by DISA when applying for provisional authorization. As part of a CSP’s continuous monitoring program, the company and its third-party assessment organization (3PAO) must provide the ECSB with evidence of implementation of the additional controls. The ECSB will use that information, in combination with all the information provided to the FedRAMP information system security officer, to recommend that successful companies be reauthorized as provisional DOD CSPs.
Leave a Reply