From: Washington Business Journal

Jill R. Aitoro, Senior Staff Reporter

After two years of development, the Office of Management and Budget officially launched a program Thursday that establishes uniform security requirements that contractors will have to meet to sell their cloud solutions to the federal government.

Federal Chief Information Officer Steven VanRoekel sent a memo to all agency CIOs requiring that they use the Federal Risk and Authorization Management Program when purchasing cloud services. FedRAMP, as it’s known, establishes a set of approved, minimum security controls that cloud services will have to meet, as well as an assessment process for authorizing these services under the program.

“FedRAMP introduces an innovative policy approach to develop trusted relationships between agencies and providers,” said VanRoekel during a Thursday media call on the launch. “Federal government spends hundreds of millions of dollars securing IT systems; much [of that] is duplicative, inconsistent and time consuming.” FedRAMP, he estimated, could produce 30-40 percent in cost savings from the process of securing these cloud solutions.

According to the memo, agencies are to use FedRAMP when procuring “commercial and non-commercial cloud services that are provided by information systems that support the operations and assets of the departments and agencies, including systems provided or managed by other departments or agencies, contractors, or other sources.”

A joint authorization board of the Defense and Homeland Security departments and the General Services Administration will define and update the security authorization requirements on an ongoing basis, and approve accreditation criteria for third-party organizations that will provide independent assessments of cloud service providers’ compliance with FedRAMP security requirements.

“Industry solutions will be evaluated against the baseline set of controls, we expect by the third-party assessment organizations,” said Dave McClure, GSA’s associate administrator of citizen services and innovative technologies, who was also on the media call. “We don’t want to create a bottleneck by assuming everything can come through FedRamp [directly]. We want these assessments done well, so industry will then find their products and services” can be authorized under FedRAMP more quickly and easily for use by federal agencies.

The board will soon issue a separate guidance detailing how contractors will get their cloud products or services authorized under the FedRAMP process, McClure said.

“I wouldn’t say every industry concern is addressed,” he added. “But this is an evolving and iterative program. We have to test, learn and optimize as we go along.”