The Federal Risk and Authorization Management Program (FedRAMP) program has been devised to identify a standardized approach across the FedGov for Assessing and Authorizing cloud components. The intent is to provide a common security risk model for evaluating cloud computing capabilities. FedRAMP is designed to solve security authorization problems created by the necessities of cloud computing.

FedRAMP aims to enable agencies with the following:

  • Interagency vetted approach using common security requirements;
  • Consistent application of Federal security requirements;
  • Consolidated risk management; and
  • Increased effectiveness and management cost savings.

FedRAMP works with the CIO Council and Information Security and Identity Management Committee (ISIMC) to keep an up to date document that evolves and grows with technical advances.

FedRAMP is currently a 3 part document with the following parts:

  1. Cloud Computing Security Requirements Baseline
    1. Dedicated to identifying the security controls from NIST that apply to cloud computing.
  2. Continuous Monitoring
    1. determine if the set of deployed security controls continue to be effective over time in light of the inevitable changes that occur
    2. Configuration management and control processes for information systems;
    3. Security impact analyses on proposed or actual changes to information systems and environments of operation;
    4. Assessment of selected security controls (including system-specific, hybrid, and common controls) based on the defined continuous monitoring strategy;
    5. Security status reporting to appropriate officials; and
    6. Active involvement by authorizing officials in the ongoing management of information system-related security risks.
  3. Potential Assessment and Authorization Approach
    1. Inter-Agency vetted Cloud Computing Security Requirement baseline that is used across the Federal Government;
    2. Consistent interpretation and application of security requirement baseline in a cloud computing environment;
    3. Consistent interpretation of cloud service provider authorization packages using a standard set of processes and evaluation criteria;
    4. More consistent and efficient continuous monitoring of cloud computing environment/systems fostering cross-agency communication in best practices and shared knowledge; and
    5. Cost savings/avoidance realized due to the “Approve once, use often” concept for security authorization of cloud systems.

FedRAMP looks to be a great way to expedite cloud services to federal agencies. It will surely provide greater capabilities in cost effective ways to agencies that are continually tightening their belts.