FedRAMP Looks to Update, Privatize Assessment Program
Published: February 21, 2013
Cloud ComputingCybersecurityInnovation
Following on the heels of updates to federal information security guidance, the General Services Administration (GSA) recently released a Request for Information (RFI) on incorporating updates into its Federal Risk and Authorization Management Program (FedRAMP).
The Third Party Assessment Organizations (3PAOs) undergo an accreditation process to verify their ability to provide independent reviews of cloud service provider (CSP) system security controls. According to the RFI published mid -February 2013, “the purpose of this notice is to allow the vendor community the opportunity to provide feedback, input, and changes to FedRAMP’s 3PAO Program Requirements.” At the time the RFI was issued, 16 organizations have received 3PAO accreditation.
On February 5, 2013, the National Institute of Standards and Technology released a final draft update on information security (Special Publications 800-53). The changes included in the latest version include additional security controls related to cloud computing. Those familiar with the FedRAMP program will recall that the program’s security baseline draws on the controls from the previous version of this document. The release of this latest draft raises questions about whether (or rather, how soon) FedRAMP security controls will be updated.