FedRAMP Looks to Update, Privatize Assessment Program

Published: February 21, 2013

Cloud ComputingCybersecurityInnovation

Following on the heels of updates to federal information security guidance, the General Services Administration (GSA) recently released a Request for Information (RFI) on incorporating updates into its Federal Risk and Authorization Management Program (FedRAMP).

The Third Party Assessment Organizations (3PAOs) undergo an accreditation process to verify their ability to provide independent reviews of cloud service provider (CSP) system security controls. According to the RFI published mid -February 2013, “the purpose of this notice is to allow the vendor community the opportunity to provide feedback, input, and changes to FedRAMP’s 3PAO Program Requirements.” At the time the RFI was issued, 16 organizations have received 3PAO accreditation.

On February 5, 2013, the National Institute of Standards and Technology released a final draft update on information security (Special Publications 800-53). The changes included in the latest version include additional security controls related to cloud computing. Those familiar with the FedRAMP program will recall that the program’s security baseline draws on the controls from the previous version of this document.  The release of this latest draft raises questions about whether (or rather, how soon) FedRAMP security controls will be updated.

In the early phases of establishing the program, FedRAMP officials suggested that the program’s security controls would evolve along with guidance and technology. Ultimately, this adaptability becomes the burden of 3PAOs and authorized CSPs, both of whom are responsible for ensuring systems continue to comply with FedRAMP requirements, even as they change. Communication with federal customers regarding any change to service or risk management will also be a factor. 
Officials also explained that they would look to improve program operations and move toward a self-sustaining model. Considering that goal, their recent reference to privatizing the 3PAO accreditation process comes as little surprise. Vendor engaged in the FedRAMP process, either as 3PAOs or CSPs with accreditations or awaiting the results of applications, would do well to consider and share the impact of this move to their business and services, both in terms of operations and costs. Questions regarding the RFI for 3PAO Program Requirements are due by February 26 and responses are due March 8, 2013.