The FISMA Focus IPD

The General Services Administration (GSA) launched the Federal Risk and Authorization Management Program (FedRAMP) last month. The program is intended to provide a one stop approach to monitoring and enforcing security standards for all cloud products and services. As of June 2012, new cloud service providers (CSPs) will need to comply with the security criteria set forth by FedRAMP to sell to federal agencies. However, existing cloud service providers have until 2014 to undergo the security assessment and authorization process.

There are three major players in FedRAMP: the cloud service providers (CSPs), third-party assessment organizations (3PAOs), and the Joint Authorization Board (JAB). According to the Government Computer News, CSPs are required to “hire a FedRAMP-approved third-party assessment organization to perform an independent audit of the cloud system and provide a security assessment package for review by the FedRAMP Joint Authorization Board. The JAB may then grant the CSP a provisional authorization, which can be used by federal agencies for review when granting a CSP authority to operate.” It is important to note that GSA does not promote or endorse a certified 3PAO over another. However, it is the responsibility of CSPs to select and cover the cost of a 3PAO.

Though GSA experienced a few hurdles and frustrations while creating the program for agencies to follow, it has set a strong precedence for the future. It is estimated that the industry will produce several billions of dollars over the next five years. Thus, it’s no surprise that the cloud industry is quickly growing and becoming a lucrative business opportunity for vendors.