FedRAMP, or the Federal Risk and Authorization Management Program, is a government program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. The FedRAMP Program Management Office (PMO) has retooled the program, specifically to improve the processes in place and reduce approval times.
Cloud services providers (CSPs) will now have readiness review upfront, which will be conducted through a Third Party Assessment Organization (3PAO) in order to reduce approval time for the Joint Authorization Board (JAB). This also means that meetings with the JAB should happen more quickly. Previously, System Security Plan (SSP) approval time at its fastest was 5 and a half months, with approval more typically running between 9 and 18 months. FedRAMP has recognized that this timeframe could be improved, and the changes are designed to bring approval time down to 3 to 6 months. This 2.0 version focuses on optimizing the preapproval process to help reduce the time needed to approve cloud vendors. While the process should be sped up due to the anticipated changes, the rigor of the security assessments should remain unchanged.
Once the 3PAO has conducted the readiness assessment and given passing marks, the JAB will review that information and, upon confirmation, declare the CSP FedRAMP ready. FedRAMP ready organizations have had their documentation reviewed by the FedRAMP PMO and have gone through the readiness review process. This program allows potential agencies and authorizing officials to go through the assessment and authorization process to become compliant more quickly.
FedRAMP has made the documents “FedRAMP Readiness Assessment Report Template” and the “FedRAMP Readiness Assessment Guidance for CSPs and 3PAOs” available here for public comment until April 29, 2016.
Some of the major benefits include:
- Providing a uniform approach to risk-based security management.
- Enhancing transparency between government and cloud service providers.
- Improving the trustworthiness, reliability, consistency, and quality of the Federal security authorization process.