New template outlines FedRAMP readiness assessment
The General Services Administration’s Federal Risk and Authorization Management Program dropped Tuesday the final version of its Readiness Assessment Report template, an avenue for cloud providers to show they are ready to start the certification process.
FedRAMP-accredited third-party assessment organizations will fill out the report when they are conducting what is basically a pre-audit to deem cloud service providers “FedRAMP Ready.” The FedRAMP Program Management Office must then approve the report.
The new template is part of recent efforts to speed the process to get certified called FedRAMP Accelerated.
[Read more: Exclusive: FedRAMP embraces the need for speed]
The report template published Tuesday lays out minimum requirements for the providers while giving guidance to the third-party assessors, according to the GSA blog post.
Being FedRAMP Ready signals the provider is likely to get a provisional authorization to operate, or P-ATO, via the Joint Authorization Board or an authorization to operate by an agency, the blog post says.
This process allows the government to assess the providers’ capabilities before they go through a lengthy documentation process to get certified.
Focusing on capabilities enables the third party “to assess a CSP’s [cloud service provider’s] system in a shorter amount of time,” and gives “the government a clearer understanding of a provider’s technical capabilities up-front in the assessment process,” according to the blog post.
Conducting the readiness assessment should be a two-to-four week effort for mid-size, straightforward systems, according to the template. The first half of the assessment would focus on information gathering, and the second on analysis and developing the report, according to the template.
“The RAR focuses on key capabilities rather than documentation,” the blog post says.
The public commented on a draft version of the template, and the final version reflects industry feedback, according to the post.
Cloud service providers can use the template immediately, the post says.