On December 8, 2011, the Federal Chief Information Officer (CIO) announced the establishment of the Federal Risk Authorization Management Program (FedRAMP), which would provide federal agencies with a standard set of security criteria to use when deploying cloud services for their departments.
The FedRAMP framework, developed in a collaborative effort by cloud and cybersecurity experts at several federal agencies and private industry, should help federal agencies make informed decisions and streamline the process for purchasing cloud tools and services. However, a January 19, 2012 article highlighted potential problems when using a government-wide standard approach to technology deployments. While FedRAMP lays the groundwork by creating a baseline of minimum standards for security, continuous monitoring, and independent verification and validation of implementation, it is up to each federal agency to determine what additional requirements are necessary to meet their mission needs.
The use of FedRAMP’s streamlined security requirements should aid government officials in making informed choices when purchasing cloud tools and services, these officials must also factor in the total cost of ownership, governance issues, portability and data protection when looking to the cloud environment for technology solutions. However, relying solely on the standards found within FedRAMP may not be enough to meet an individual agency’s needs. Resources and recommendations like those found in CAGW’s Cloud Computing 201 are helpful in guiding agencies through the purchasing process.