Cloud vendors can now submit services for FedRAMP approval

February 14, 2012

The United States General Services Administration launched the Federal Risk and Authorization Management Program in December to establish a standardized policy for government agency cloud adoption, but FedRAMP is already undergoing a few changes.

According to Federal News Radio, the FedRAMP program management office recently released a Concept of Operations (CONOPS) document detailing how cloud vendors can submit their products and services for approval without having to first secure a contract. Previously, government agencies submitted only the cloud services they were interested in adopting, while third party providers can now receive approval without already having a service contract.

"They can go through the entire FedRAMP process, look at the process we laid out, follow all those instructions, create all those documents, provide all that evidence and submit that to FedRAMP and be put into the priority queue," said Matt Goodrich of the Federal Cloud Computing Initiative, as reported by the source. "If you haven't been prioritized for review by the Joint Authorization Board (JAB), that doesn't mean we don't put your assessment package in the repository for agencies to see you have done that work so they can look at it and start to leverage it."

Goodrich said the CONOPS was the hardest FedRAMP document to draft and have approved, as it has significant security ramifications for federal cloud adopters and impacts numerous potential cloud vendors. Since FedRAMP's launch in December with a policy memo, GSA has also published the 3PAO Application Materials document and the FedRAMP Security Controls.

According to Federal News Radio, the CONOPS details three main areas, including how assessors will examine if the cloud vendors' products and services meet the security controls. Meanwhile, the document described how the FedRAMP management office will create an archive of approved cloud providers for agencies to research.

The U.S. government, including President Barack Obama's administration, has been extremely supportive of widespread federal cloud adoption, as it believes the technology can reduce IT budgets, improve security and increase employee flexibility. Although a large share of American businesses have implemented cloud strategies and continue to adopt cloud-based services, security is still a major concern for many firms. However, government cloud adoption and a wealth of experts saying the cloud is a secure environment for storing data, applications and infrastructure could eliminate security concerns among many companies.

According to a Federal News Radio survey, 83 percent of federal agencies expected to meet the Office of Management and Budget's stipulation of migrating at least one IT function to the cloud by the beginning of 2012.

-McAfee Cloud Security