The draft FedRAMP-TIC Overlay document will enable cloud service providers to document compliance with cloud security requirements as well as how TIC capabilities are met through both federal networks and alternative mobile approaches. Demonstrating compliance with both sets of standards through a single assessment will help reduce duplicative processes. Cloud providers will be able to received approval for the combined FedRAMP/TIC compliance through third-party assessment organizations (3PAOs). In addition to receiving authority to operate from the FedRAMP Joint Authorization Board or agency authorizing official, cloud services will can be deemed “TIC Ready.” The integration of these requirements is expected to help meet demand for secure cloud services.
Deltek’s Federal Industry Analysis team expects federal demand to continue growing for vendor-provided cloud computing services. Recent Deltek research forecasts contracted spending on cloud services will increase from $2.5 billion in FY 2014 to $6.5 billion in FY 2019 at a Compound Annual Growth Rate (CAGR) of 21%. As agencies reliance on cloud services grows, the way government users access data has continued to change. According to the draft document, a growing number of mobile users are connecting to cloud services. Under current operations, " these mobile users must route their connection through their agency network and then through a [Managed Trusted IP Service] or [TIC Access Provider] connection. This creates significant strains on agency networks and eliminates one of the key benefits of using a cloud: ubiquitous access."
Under the new approach, cloud service providers leverage the FedRAMP framework to demonstrate their ability to meet TIC requirements. In order to achieve this, TIC capabilities have been mapped to the FedRAMP security controls through the DRAFT FedRAMP-TIC Overlay. The draft document notes that, “CSPs will be able to use this overlay during a FedRAMP security assessment to prove they can provide agencies with the ability to enforce TIC capabilities for mobile users." Once the overlay is finalized, agencies are likely to incorporate data access clauses along with vendor FedRAMP certification into requirements for cloud procurements.
All feedback on the draft overlay is due May 1, 2015.