Cloud service providers (CSPs) are in a panic about a deadline that is looming that would require any CSP working with a government agency to be FedRAMP compliant by June 2014. FedRAMP is the federal government’s risk and security assessment program for cloud-based services as part of the “cloud-first” initiative and was designed to make the assessment process more efficient. CSPs which complete a FedRAMP assessment and obtain authority to operate are eligible for procurement by any federal agency. The problem is that there are only nine authorized CSPs to choose from. Many government agencies are utilizing CSPs that are not compliant.
The process for compliance is a complicated one. The CSPs have a very tight time frame in order to be compliant and remain competitive for government contracts. There are ten steps every CSP should take when working toward FedRAMP compliance:
• Review the “Guide to Understanding FedRAMP.”
• Download the FedRAMP templates.
• Create a project plan for populating the SSP and supplemental documentation.
• Submit a FedRAMP Initiation Request or obtain an agency sponsor.
• Compile policies, risk assessments, and internal and external security assessments.
• Map your system inventory and boundaries
• Map existing controls to FedRAMP requirements and note gaps in your plan.
• Submit the SSP and supplemental documentation to the PMO or sponsoring agency for review
• Engage a 3PAO to perform the FedRAMP assessment.
FedRAMP compliance requires an extensive investment of time and money. If you are a CSP looking at becoming FedRAMP compliant or already in the process, or if you are an agency who is utilizing a CSP that is not compliant, you should both be communicating with one and other and working together to meet the coming deadline.
To read the entire article, please visit fcw.com.