FedRAMP Cloud Computing Framework

Establishing federal standards to save time and money while easing fears of cloud security

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program established in December 2011 to speed the adoption of cloud computing. FedRAMP includes a set of requirements for federal cloud computing and universal procedures for approving services and providers to work with the government. When contractors feel that they have met FedRAMP requirements, they must have their security control implementations independently verified and validated by a FedRAMP accredited Third Party Assessment Organization for compliance which then submits  a security assessment package for review by the cross-agency Joint Authorization Board (JAB). White House officials expect FedRAMP to be operational by June, and will be mandatory for all government cloud deployments of low to moderate risk levels except for single agency private clouds.

In January, the US Federal government issued a comprehensive list of 168 security control requirements in 16 categories that cloud providers must first comply with before being able to provide services to any Federal agency. The requirements cover, but are not limited to, the specifics of software upgrades and backups, smartphone access and security issues. While that list of requirements is lengthy, the good news for vendors is that once they are able to prove compliance with those requirements, they then become eligible to sell their services to any federal agency. The goal is to establish standards to ease fears about cloud security while saving time and labor through one federal standard rather than redundant agency standards, allowing organizations to leverage past approvals elsewhere.

The approach uses a “do once, use many times” framework that will save on the money, time and staff required to conduct redundant agency security assessments, GSA officials said.