Those who follow cloud computing on the federal level know the Federal Risk and Authorization Management Program (“FedRAMP”) is tasked with developing a “government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.” We expect FedRAMP to have a broader ripple effect for corporate cloud contracting, which is why we have followed FedRAMP (and NIST’s) work on cloud computing standards closely.
Since the U.S. Office of Management and Budget (“OMB”) issued a formal memo in late 2011 mandating FedRAMP compliance for all use of cloud computing by federal agencies (with a June 5, 2014 deadline), FedRAMP, in conjunction with the Program Management Office, has worked to implement various programs that streamline governmental cloud use on the one hand and “certification” of authorized FedRAMP cloud service providers on the other.
As a result FedRAMP is offering live webinars on June 17th, 18th, and 19th, open to the service providers and the public, to provide a FedRAMP program update, an examination of the required FedRAMP Assessment Framework and FedRAMP Security Controls, as well as the latest revisions to NIST SP800-53 Rev 4, which is a key component of the NIST Cybersecurity Framework.
- The first session on June 17th is to provide an overview of the June 5th deadline for cloud service providers to be in compliance with FedRAMP. The goals of FedRAMP and the overall impact on cloud service providers will be highlighted in this webinar.
Register at https://www2.gotomeeting.com/register/697599858
- The second session on June 18th covers the FedRAMP Security Assessment Framework and how it complements the NIST Risk Management Framework. The second session will also cover information system categorization, system assessment and system authorization associated with these two crucial frameworks.
Register at https://www2.gotomeeting.com/register/798256410
- The third session on June 19th wraps up the series with a focus on NIST SP800-53 Revision 4 and will discuss the respective changes made in response to the FedRAMP security controls. Cloud Service Providers will be informed of a transition plan that will assist them in meeting the FedRAMP mandates. Finally, the last session will also review the aspects of continuous monitoring of cloud based services – an important issue that any company contracting for or renewing their cloud services agreements should review.
Register at https://www2.gotomeeting.com/register/256069642
FedRAMP at a Glance
The latest webinars continue to move ahead in aiding cloud service providers compliance with FedRAMP mandates. FedRAMP was designed with the goal of mitigating inefficiencies in cloud procurement and address risk management through a uniform approach to security and the monitoring of cloud services.
Furthermore, these webinars will hopefully clarify requirements, as the number of cloud service providers are few and far between when it comes to meeting provisions laid out in via the Federal Information Security Management Act or FISMA. These requirements include “clearly define boundaries”, enacting FIPS 140-2 Encryption, “authenticated scans”, “remediation of vulnerabilities”, and “multi-factor authentication”.
At this time, a number of notable Cloud Service Providers who are FedRAMP compliant include: Amazon Web Services, Lockheed Martin, Microsoft, and IBM, with a good number of other CSPs in the pipeline, including Adobe, Google, Oracle, Salesforce.com and others.
As use of cloud providers by the federal (and state) governmental agencies increases, FedRAMP’s goals – along with the parallel NIST Cybersecurity Framework – will have significant effect on cloud service agreement security schedules and associated security controls. And now’s the time to understand and begin to vet the legal and contract requirements for your own (even if non-governmental) cloud service agreements.
Sm@rtEdge Law Clerk John Pritsiolas contributed to this post.