Responsibility for FedRAMP security controls will vary

The degree to which cloud service providers and federal agencies are each responsible for security controls under the FedRAMP program will depend according to the type of service offered and the vendor itself, federal officials said Feb. 8. During a press call and follow-up interviews, officials from the FedRAMP program office noted that the FedRAMP concept of operations posits that software-as-a-service vendors will have a greater number of controls they're responsible for implementing than infrastructure-as-a-service or platform-as-a-service providers. However, whether an agency or a vendor takes responsibility for many specific controls will "vary not only by deployment model, but service delivery model and agency and cloud service provider," said Matt Goodrich, FedRAMP program manager.   FedRAMP is meant to grant cloud vendors a provisional authorization valid at any federal agency. Provisional authorization doesn't substitute the need for a local agency official to sign an authorization to operate on the local network, but it should significantly speed up the process since agencies won't have to reassess provider compliance with baseline security controls, federal officials say. As an example, Goodrich said vulnerability scanning (known as RA-5 in the official federal catalog of security controls, SP 800-53) would be the responsibility of federal agencies buying IaaS but would be the responsibility of a vendor providing SaaS. However, responsibility for controls could even vary from vendor to vendor within the same class of cloud service. "There's many variables that will affect that outcome," said Dave McClure, associate administrator at the General Service Administration's office of citizen services and innovative technologies. Documentation for each provisional authorization granted under FedRAMP will delineate those responsibly, officials said. The FedRAMP controls are taken directly from SP 800-53, which is maintained by the National Institute of Standards and Technology. NIST officials say a significant revision of the controls catalog is set for release later this month. The FedRAMP joint authorization board will update its controls to match the baselines in the revised document, Goodrich said. For more: - go to (current redirects to a GSA page) Related Articles: FedRAMP is mandatory for cloud providers, says McClure FedRAMP CONOPS calls for big DHS role FedRAMP baseline controls released
This entry was posted in Acquisition. Bookmark the permalink.

Comments are closed.