Yesterday, the Office of Management and Budget (OMB) issued a policy memo to all federal agencies, detailing the new Federal Risk and Authorization Management Program (FedRAMP).  Intended to reduce security concerns of federal chief information officers (CIOs) surrounding cloud computing products and services, FedRAMP proposes to provide agencies a standardized system and one-stop-shop for security assessments, authorizations and continual monitoring of cloud products and services.

As mentioned in CAGW’s report, Cloud 101: A Brief Introduction, critical to the federal government’s move toward cloud computing is the simultaneous adoption of superior procurement practices and the implementation of high-level security protections.  Building upon the need for improved procurement activities in government, CAGW’s second report on cloud computing, Cloud Computing 201: Guidelines for Successful Cloud Investments details best practices for decision makers purchasing cloud solutions.  On the surface, it appears the FedRAMP program to streamline the purchase of cloud solutions is a start in the right direction, despite the blatant use by General Services Administration (GSA) of a modified version of the Obama Campaign logo for the new FedRAMP.

According to an article in today’s Politico, agencies will be required to use FedRAMP when purchasing cloud products and solutions instead of wasting time and taxpayer dollars creating their own separate processes for approval of cloud providers.  Using a framework co-developed by cloud and cybersecurity experts at GSA, National Institutes of Standards and Technology, Department of Homeland Security, Department of Defense, National Security Administration, OMB, the federal CIO and private industry, it is hoped that FedRAMP will assist government agencies make better decisions when purchasing cloud tools and services.

The new FedRAMP mechanism will also permit cloud service providers (CSPs) to apply directly to the FedRAMP program for an authorization to operate (ATO).  It is anticipated that the centralized ATO process will assist agencies in the adoption of secure cloud solutions, increase confidence in security of cloud solutions, and achieve consistent security authorizations using a baseline set of agreed upon standards.  An industry day will be held on December 16, 2011 to explain the benefits of FedRAMP and how to apply for the assessments.  Registration for industry day closes on December 14, 2011.  GSA states on the FedRAMP website that the program will achieve operating capabilities within the next 180 days.

Filed under: Technology