By Rebecca Barbour, SBTDC/PTAC counselor @ NC State University
According the General Services Administration, the federal government spends hundreds of millions of dollars each year securing IT systems. Cloud based solutions allow for greater flexibility and efficiency in computing, but their adoption has been slow and cumbersome due to redundant and costly processes between agencies. To address the need for adopting cloud based solutions in an efficient and effective manner, the federal government formed The Federal Risk and Management Authorization Program, or FedRAMP.
What is FedRAMP?
FedRAMP is a collaboration between the General Services Administration, National Institute of Standards and Technology, Department of Homeland Security, Department of Defense, National Security Agency, Office of Management and Budget, the Federal Chief Information Officer Council and private industry. The goal of the FedRAMP program is to provide a government-wide standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Using a “do once, use many times” approach, cloud services providers may now obtain a single FedRAMP accreditation that will be recognized by multiple agencies.
How do Businesses Participate?
Cloud service providers seeking FedRAMP accreditation may apply directly for an authorization or they may work with a sponsoring agency. Before submitting an Initiation Request, CSPs are encouraged to become familiar with FedRAMP publications, as well as the four program process areas: Document, Assess, Authorize, and Monitor. In the Document phase, CSPs are required to select and implement the appropriate FedRAMP security controls baseline and document the details of the implementation in a System Security Plan. In the Assess phase, CSPs must engage an independent auditor to evaluation the implementation and documentation. In the Authorize phase, the auditor’s report is shared with the CSP authorizing officials for review and revision, and a final security package is submitted for authorization. Once authorized, CSPs enter the Monitor phase where they engage in continuous monitoring of their system to ensure compliance and security.
Is FedRamp for Me?
There are a number of CSPs that have already obtained FedRAMP authorization, and there is a wealth of training available for providers that are considering pursuing accreditation. Interested providers should make use of the online training provided to vendors by the FedRAMP board and study the guidelines and documents required for authorization. For more information, please visit www.fedramp.gov.