While the Cloud First policy set the stage for widespread cloud adoption in the government sector, integration of the cloud products and services has been challenging. Security assessments have proven complex and time-consuming for CIOs, with federal agencies spending “hundreds of millions of dollars” each year securing their IT systems.
By offering a standardized approach to “security assessment, authorization and continuous monitoring for cloud products and services” – as described on the FedRAMP website – FedRAMP, the Federal Risk and Authorization Management Program, can help agencies save considerable time and expense.
By applying the FedRAMP framework to their evaluation of cloud products and services, government agencies can achieve a number of benefits, including:
- Uniform assessment and authorization cloud information security controls
- Significant time and cost savings when compared to conducting independent assessments, which can often be redundant
- Increased insight into cloud security controls
- Alleviated cloud security concerns and increased trust in the validity of assessments
- Faster adoption of cloud solutions
FedRAMP evaluates cloud providers through a comprehensive, three step process. The framework is based on a uniform set of standards, by which, it is determined if a cloud product or service has adequate information security controls.
- Authorization and Audits: Outside federal agencies approved by FedRAMP audit the cloud system to ensure that the cloud service provider can withstand a series of threats
- Ongoing Audits and Authorization: Once a cloud system is granted authorization, it will continue to undergo assessments and audits in order to maintain its status.
Who Governs FedRAMP?
The FedRAMP framework was developed with input from security experts from multiple departments and agencies so the program can be considered “government-wide”. Its primary decision maker “is the Joint Authorization Board (JAB), comprised of the CIOs from DOD, DHS, and GSA. In addition to the JAB, OMB, the Federal CIO Council, NIST, DHS, and the FedRAMP Program Management Office (PMO) play keys roles in effectively running FedRAMP.”
To learn more, choose one of the following options below.