FedRAMP Adds “Ready” Category

Published: October 22, 2014

Cloud ComputingCybersecurityGSA

The goal behind Federal Risk and Authorization Management Program (FedRAMP) is to streamline the cloud security authorization process. In support of this goal, it established a government wide cloud security baseline (for FISMA low to moderate levels) and established a process for evaluating cloud solutions. While the initiative described a crawl-walk-run approach from the outset, delays around reviews and authorizations seems to have triggered an adjustment to the strategy.

The Office of Management and Budget (OMB) set June 5, 2014 as a deadline for cloud vendors to comply with federal cloud security certification. Since FedRAMP launched initial operations in June 2012, fewer than 20 total authorizations for cloud solutions to operate have been awarded by the FedRAMP Joint Authorization Board (JAB) and federal agencies. The need to transition to a new security baseline (as a result of updated guidance from NIST) adds another piece to the bottleneck around getting solutions through the FedRAMP review process.

To help speed the process along, mid-October 2014, a category has been added to the queue to call out cloud solutions that have completed their documentation and gone through a readiness review by the FedRAMP PMO. According to Matt Goodrich, the acting FedRAMP director, “FedRAMP Ready systems have documentation that has been reviewed by the FedRAMP PMO and at a minimum have gone through the FedRAMP PMO readiness review process.”  Since the bar for being included in the FedRAMP Ready roster is set low, cloud service providers (CSPs) are able to be listed even with work remaining to become FedRAMP compliant. Although authority to operate (ATO) must come from the FedRAMP JAB or an Agency, the FedRAMP office has also described a third, “CSP supplied” path to authorization, which could feed easily into the FedRAMP Ready ranks should vendors submit prepared documentation and testing for readiness review.

This new category provides increased visibility to CSPs pursuing FedRAMP compliance. It also allows the FedRAMP PMO to draw attention to open source solutions and build specifications that agencies can deploy. A week after announcing the new category, there are four systems listed as FedRAMP Ready. If agencies need to explore beyond the solutions that have completed the FedRAMP process, this category offers them a starting point and provides information about how far a solution is from compliance. This development strengthens the case for vendors to target achieving FedRAMP compliance in cooperation with an agency. Any additional activities planned to further support agency procurement may be announced at the beginning of November 2014, when the FedRAMP office is expected to release its roadmap for the next year.