The White House released a memorandum on Thursday outlining the Federal Risk Authorization Management Program (FedRAMP), a day short of the one-year anniversary of the release of the Office of Management and Budget’s 25-Point Plan.
FedRAMP will create a platform for federal agencies to secure cloud-computing solutions when it officially goes live within the next year, a move that Federal Chief Information Officer Steven VanRoekel said will save the government 30 to 40 percent on cloud computing costs.
VanRoekel announced the program in a conference call with reporters along with GSA Associate Administrator David McClure, Department of Homeland Security CIO Richard Spires, and NIST Director for the Information Technology Laboratory Charles Romine.
"FedRAMP introduces an innovative policy approach to develop trusted relationships between agencies and providers," said VanRoekel. "Federal government spends hundreds of millions of dollars securing IT systems; much [of that] is duplicative, inconsistent and time consuming.”
FedRAMP would provide joint authorizations and continuous security monitoring of shared IT services for federal departments and agencies that enter contracts with outside providers, including those offering cloud computing solutions, and will be mandatory for all federal agencies once it is launched. Spires said he estimates that FedRAMP will address up to 90 percent of agencies FISMA requirements.
A joint authorization board of the Defense and Homeland Security departments and GSA will define and update the security authorization requirements on an ongoing basis. This board wil also approve accreditation criteria for third-party organizations that will provide independent assessments of cloud service providers' compliance with FedRAMP security requirements.
He added the FedRAMP authorizations on services will be at the low and moderate levels of the Federal Information Security Management Act.
Spires said the FedRAMP development process has been collaborative in order to build trust with agency CIOs.
"They will need to make adjustments as they see fit for their agency," he said. "I certainly believe with all that we've done with these controls and adding additional controls from the stand point of cloud based services that we are secure for the FISMA low and moderate levels there is a high degree of confidence. We've had these discussions in the CIO Council and I think there is a lot of excitement actually to move forward to leverage this. Frankly, as CIOs we are paying too much for all of this certification and accreditation work we do with security and we are looking for ways to streamline this."
According to the memo, FedRAMP will provide a cost-effective, risk-based approach for the adoption and use of cloud services by making available to Executive departments and agencies:
- Standardized security requirements for the authorization and ongoing cybersecurity of cloud services for selected information system impact levels;
- A conformity assessment program capable of producing consistent independent, third-party assessments of security controls implemented by CSPs;
- Authorization packages2 of cloud services reviewed by a Joint Authorization Board (JAB) consisting of security experts from the DHS, DOD, and GSA;
- Standardized contract language to help Executive departments and agencies integrate FedRAMP requirements and best practices into acquisition; and
- A repository of authorization packages for cloud services that can be leveraged government- wide.
The memo also outlined the future deployment of the program:
- Within 30 days, the CIO Council will publish the standardized baseline of security controls, privacy controls, and controls selected for continuous monitoring from NIST Special Publication.
- Within 60 days of the issuance of this policy, the FedRAMP PMO shall publish a Concept of Operations (CONOPS) for FedRAMP providing the initial process for Executive departments and agencies and CSPs to adhere to the FedRAMP security authorization requirements created by the JAB. The CONOPS shall be updated, as required, by the FedRAMP PMO and made available to Executive departments and agencies and CSPs
- Within 90 days of the issuance of this policy, the JAB shall publish a charter, which defines its governance model.
- Within 180 days, the FedRAMP PMO will provide an initial operating capability for FedRAMP.
FedRAMP will reduce duplicative efforts, inconsistencies and cost inefficiencies associated with the current security authorization process. The program will also establish a public-private partnership to promote innovation and the advancement of more secure information technologies.
By using an agile and flexible framework, FedRAMP will enable the Federal Government to accelerate the adoption of cloud computing by creating transparent standards and processes for security authorizations and allowing agencies to leverage security authorizations on a government-wide scale, according to the memo.
The plan calls for GSA to create a program management office under the Office of Citizen Services and Innovative Technologies. The PMO will:
- Create a process for Executive departments and agencies and CSPs to adhere to the FedRAMP security authorization requirements created by the JAB
- Prioritize requests for authorization and authorization package review by the JAB in accordance with the JAB-approved priority queue requirements and publish and update on a continuous basis the FedRAMP priority queue;
- Establish a centralized, secure repository detailing requests for authorization, agency- provided authorization packages, CSP-provided authorization packages, and JAB provisional authorization packages of cloud services that Executive departments and agencies can leverage to grant security authorizations;
- Coordinate and collaborate with the NIST to develop and implement a formal conformity assessment program to accredit 3PAOs to provide independent assessments of how CSPs implement the FedRAMP requirements;
- Develop and make available to Executive departments and agencies templates that can satisfy FedRAMP security authorization requirements through standard contract language and service level agreements (SLAs) for use in the acquisition of cloud services; and
- Develop and make available to Executive departments and agencies template Memoranda of Understanding (MOU) and/or Memoranda of Agreement (MOA)