FedRAMP Adds “Ready” Category
Published: October 22, 2014
The goal behind Federal Risk and Authorization Management Program (FedRAMP) is to streamline the cloud security authorization process. In support of this goal, it established a government wide cloud security baseline (for FISMA low to moderate levels) and established a process for evaluating cloud solutions. While the initiative described a crawl-walk-run approach from the outset, delays around reviews and authorizations seems to have triggered an adjustment to the strategy.
The Office of Management and Budget (OMB) set June 5, 2014 as a deadline for cloud vendors to comply with federal cloud security certification. Since FedRAMP launched initial operations in June 2012, fewer than 20 total authorizations for cloud solutions to operate have been awarded by the FedRAMP Joint Authorization Board (JAB) and federal agencies. The need to transition to a new security baseline (as a result of updated guidance from NIST) adds another piece to the bottleneck around getting solutions through the FedRAMP review process.
According to Matt Goodrich, the acting FedRAMP director, “FedRAMP Ready systems have documentation that has been reviewed by the FedRAMP PMO and at a minimum have gone through the FedRAMP PMO readiness review process.”
This new category provides increased visibility to CSPs pursuing FedRAMP compliance. It also allows the FedRAMP PMO to draw attention to open source solutions and build specifications that agencies can deploy. A week after announcing the new category, there are four systems listed as FedRAMP Ready. If agencies need to explore beyond the solutions that have completed the FedRAMP process, this category offers them a starting point and provides information about how far a solution is from compliance. This development strengthens the case for vendors to target achieving FedRAMP compliance in cooperation with an agency. Any additional activities planned to further support agency procurement may be announced at the beginning of November 2014, when the FedRAMP office is expected to release its roadmap for the next year.