Agencies Align With FedRAMP-Approved Cloud Services

By Christine Kern, contributing writer

The Federal Risk and Authorization Management Program (FedRAMP) sets the standard for how commercial cloud services providers do business with the government. For example, Fed Tech Magazine reports the U.S. Department of Commerce plans to procure a “FedRAMP-approved cloud e-mail and migration services for government community cloud to support OIG’s mission,” and NASA and the U.S. Army have set similar requirements.

As the push grows to adopt universal standards, IT solutions providers will have to pay increasing attention to the federal guidelines if they hope to keep their agency business — and the business of clients who choose to follow suit.

In a second article, Fed Tech Magazine reports twelve cloud services now have provisional authority to operate from FedRAMP’s joint authorization board (JAB), meaning that those services meet federal security standards, according to the CIOs at the General Services Administration and Defense and Homeland Security departments. According to FedRAMP Director Maria Roat, there are 160 known instances of those 12 cloud services currently in operation under federal agencies, covering at least 250 government contracts.

That article also reports that during the FedRAMP industry day, the transition to Revision 4 of the FedRAMP’s security controls means a number of changes. For example, there are 125 security requirements for low-impact systems and 325 for moderate-impact systems, making industry standards clearer — like explaining how encryption is verified. Cloud providers are required to establish continuous monitoring and now must perform monthly vulnerability scans and report high vulnerabilities within 30 days.

For updated templates, security requirements, and program documents, visit http://cloud.cio.gov/fedramp.