The Sm@rtEdgeLaw Group

- "Smart companies need a Sm@rtEdge" TM

Ready to Revisit Your Cloud Contracts? FedRAMP is Ramping Up With Three Public Webinars

FedRampMapThose who follow cloud computing on the federal level know the Federal Risk and Authorization Management Program (“FedRAMP”) is tasked with developing a “government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.”  We expect FedRAMP to have a broader ripple effect for corporate cloud contracting, which is why we have followed FedRAMP (and NIST’s) work on cloud computing standards closely.

Since the U.S. Office of Management and Budget (“OMB”) issued a formal memo in late 2011 mandating FedRAMP compliance for all use of cloud computing by federal agencies (with a June 5, 2014 deadline), FedRAMP, in conjunction with the Program Management Office, has worked to implement various programs that streamline governmental cloud use on the one hand and “certification” of authorized FedRAMP cloud service providers on the other.  

As a result FedRAMP is offering live webinars on June 17th, 18th, and 19th, open to the service providers and the public, to provide a FedRAMP program update, an examination of the required FedRAMP Assessment Framework and FedRAMP Security Controls, as well as the latest revisions to NIST SP800-53 Rev 4, which is a key component of the NIST Cybersecurity Framework.

  • The first session on June 17th is to provide an overview of the June 5th deadline for cloud service providers to be in compliance with FedRAMP. The goals of FedRAMP  and the overall impact on cloud service providers will be highlighted in this webinar.

Register at

Register at

  • The third session on June 19th wraps up the series with a focus on NIST SP800-53 Revision 4 and will discuss the respective changes made in response to the FedRAMP security controls. Cloud Service Providers will be informed of a transition plan that will assist them in meeting the FedRAMP mandates. Finally, the last session will also review the aspects of continuous monitoring of cloud based services – an important issue that any company contracting for or renewing their cloud services agreements should review.

Register at

FedRAMP at a Glance

The latest webinars continue to move ahead in aiding cloud service providers compliance with FedRAMP mandates. FedRAMP was designed with the goal of mitigating inefficiencies in cloud procurement and address risk management through a uniform approach to security and the monitoring of cloud services.

Furthermore, these webinars will hopefully clarify requirements, as the number of cloud service providers are few and far between when it comes to meeting provisions laid out in via the Federal Information Security Management Act or FISMA. These requirements include “clearly define boundaries”, enacting FIPS 140-2 Encryption, “authenticated scans”, “remediation of vulnerabilities”, and “multi-factor authentication”.

At this time, a number of notable Cloud Service Providers who are FedRAMP compliant include: Amazon Web Services, Lockheed Martin, Microsoft, and IBM, with a good number of other CSPs in the pipeline, including Adobe, Google, Oracle, and others

As use of cloud providers by the federal (and state) governmental agencies increases, FedRAMP’s goals – along with the parallel NIST Cybersecurity Framework – will have significant effect on cloud service agreement security schedules and associated security controls.  And now’s the time to understand and begin to vet the legal and contract requirements for your own (even if non-governmental) cloud service agreements.

Sm@rtEdge Law Clerk John Pritsiolas contributed to this post.

SIgn up for “Smartedge Perspectives” Alerts

The Author

R Santalesa

(p) 203.292.0667 (e) Richard Santalesa is based in Fairfield, Connecticut and New York City.
© 2014 Sm@rtEdge LLC. All Rights Reserved. Attorney advertising. Prior results do not guarantee a similar outcome. Site Map Privacy Policy Frontier Theme
%d bloggers like this: