The Federal Risk Authorization Management Program, or FedRAMP, is still in the early stages of implementation. In order to address common questions on the process, General Services Administration officials fielded inquiries from industry and agency IT shops during a Nov. 7 DigitalGov University webinar.
"We are in the initial capability stage of our program, and things are subject to change during that time. We are still working on some of the kinks," said Katie Lewin, program manager for cloud computing at GSA.
Lewin said that new providers that are just beginning to offer cloud-computing solutions or just beginning to work with government, "might want to delay a little bit" until the "program is fully gelled."
Those cloud vendors already actively engaging with an agency, however, will want to apply for FedRAMP immediately, she said.
"All instances of cloud services must be compliant with FedRAMP as of June 2014. So, good to start the process sooner rather than later," said Lewin.
The multi-step approval process required of cloud vendors, which is detailed in full on GSA's FedRAMP portal, relies in part on third party assessment organizations. Lewin noted that, since the program launched in June, GSA added six or seven additional companies to the initial nine 3PAOs.
The security requirements required for FedRAMP align with FISMA and the risk management framework in NIST SP 800-37 (.pdf), said Lewin. The final version of NIST 800-53 version 4 is expected in January, but FedRAMP is only required to update security control baselines in the same way agencies are required to update to the new revision.
"Typically NIST gives about a year from the finalization date until agencies must meet that. We will update our security control baseline sometime within that, and align that with NIST," said Matt Goodrich, program manager for FedRAMP at GSA.
- go to the event page (includes archived webcast, speaker bios and presentation slides.)