The Federal Risk Authorization Management Program, or FedRAMP, is now taking applications for cloud service providers to begin their security assessment. But agencies shouldn't expect cloud vendors to achieve approval to operate, or ATO, for several months.
The application process is the first of several steps for cloud service providers. After submitting their applications, vendors must undergo review by an accredited third-party assessment organization, or a 3PAO; by a federal agency; or by the FedRAMP Joint Authorization Board, or JAB, according to the application.
If the cloud provider clears the initial security assessment process it will have provisional authorization and move to the next review phase, which can only be conducted by the JAB. That second phase of review will result in actual accreditation and ATO.
Katie Lewin, program manager for cloud computing at GSA, told an audience June 4 at the 2012 Management of Change conference in Cambridge, Md. that she expects three cloud services to be approved by the JAB by December 2012. FedRAMP won't reach full operational capability until late winter or early spring of next year, she said in a Federal News Radio report.
By granting ATO, the FedRAMP JAB is only certifying that cloud services meet baseline security controls. While this greatly speeds the certification and accreditation process, it's also likely agencies will conduct further security assessments, officials have said.
Software as a Service, Platform as a Service, and Infrastructure as a Service vendors are invited to apply, according to the application. FedRAMP officials have said the security assessment process will vary depending on the cloud service model. For example, software-as-a-service vendors will have a greater number of security controls they're responsible for implementing than infrastructure-as-a-service or platform-as-a-service providers, they said.
Spotlight: FedRAMP accredits third-party assessment organizations
FedRAMP JAB to name third party assessment organizations by May
McClure: Cloud services require acquisition officers to retool