From: CIO.gov
IT reform in the Federal government continues to break new ground and streamline efficiencies. As we start off the new calendar year, the Federal CIO Council released today the security control requirements for the Federal Risk and Authorization Management Program (FedRAMP)—the new, innovative IT risk management program created to foster the adoption of cloud computing by the Federal government.
As detailed by Federal CIO Steven VanRoekel’s policy memo issued December 8, 2011, FedRAMP provides a standardized approach to the security authorization process for cloud products and services, adopting requirements agreed upon by all Federal agencies and approved by the FedRAMP Joint Authorization Board (JAB). The security controls baseline is the basis for FedRAMP’sstandardized approach to the security authorization process for cloud products and services. The release of the FedRAMP controls is the critical first step that to successfully launching FedRAMP.
The security controls approved by the JAB have gone through an extensive vetting process that began last year with the initial release of FedRAMP documentation. Since then, the JAB received and incorporated feedback from industry and government alike, to create a baseline of controls to properly address the unique elements of authorizing cloud products and services, including multi-tenancy, control of an infrastructure, and shared resource pooling. This baseline serves all Federal agencies and CSPs, to which additional controls may be added by agencies to meet specific requirements.
FedRAMP security controls also align with NIST Special Publication 800-53, Revision 3, for low and moderate impact systems (in accordance with FIPS 199). These security controls must be implemented within a cloud service provider (CSP) environment in order to receive a security authorization for the Federal government.
As part of the program, FedRAMP will make publicly available all of the requirements needed to obtain a security authorization for a cloud product or service, and the FedRAMP PMO will address questions concerning these controls at questions@FedRAMP.gov.
FedRAMP’s unified risk management process will evaluate IT services offered by vendors on behalf of Federal agencies, saving agencies from conducting their own risk management programs. By reducing duplicative risk management efforts, FedRAMP will enable Federal agencies to focus their evaluations of IT services on their agency’s specific needs, as well as their privacy and security requirements. In the coming month, GSA will release the FedRAMP Concept of Operations, further detailing the processes for Federal agencies and CSPs to meet FedRAMP requirements.
Leave a Reply