Fierce Government is reporting that FedRAMP will likely be comissioned towards the end of October 2011. The site quotes Fred Whiteside, project manager for the National Institute of Standards and Technology’s (NIST) cloud computing working group as saying “FedRAMP is due to be sort of commissioned, I want to say at the end of October–sometime around the end of October. [Its launch will] coincide, of course, with the release of the NIST technology roadmap and completion of the assessment models.”
FedRAMP, short for the Federal Risk and Authorization Management Program, will provide the United States government departments and agencies with a standard approach to assess cloud computing services and products. The program will make it easier for the federal government to adopt cloud services by providing an “approve once, use often” process:
FedRAMP will develop common security requirements for specific types of systems, provide ongoing risk assessments and continuous monitoring, and carry out government-wide security authorizations that will be posted on a public Web site. Agencies would also be able to see what security controls have been implemented in different products and services. This way, complicated certification and accreditation processes would only need to be carried out once per cloud service, and agencies could leverage shared security management services. Today, each agency that wants to adopt cloud computing technology, whether it’s Salesforce.com or the Department of the Interior’s National Business Center, typically duplicates tests already done by other agencies to ensure the service they’re signing up for meets the government’s security requirements. That leads to longer-than-necessary lead times to adoption and decisions not to adopt because the certification and accreditation process can be tedious. . . . Since different agencies have different security requirements, FedRAMP’s planners are working with agencies to develop baselines for specific domains that will be generally acceptable for most agencies. Agencies could then leverage the government-wide authorizations, and for any that need to do additional work themselves, most of the work will have already been done for them. [InformationWeek]
FedRAMP has been in development since 2009. Although it is not yet effective, several cloud providers are already going through the assessment and compliance process to ensure that their products meet the government’s stringent requirements.
For more information on FedRAMP, visit www.FedRAMP.gov.