Federal Compliance Update FedRAMP

The U.S. Federal Government has expanded their service offerings by outsourcing infrastructure to cloud-based services providers. The use of cloud-based services comes with inherent risk. However, the Federal Office of Management and Budget (OMB) has been working diligently over the past few years to provide federal agencies guidelines on using CSPs (Cloud Services Providers).

The OMB in December of 2010 released the 25 Point Implementation Plan to Reform Federal Information Technology Management which established a policy for agencies to use secure, reliable and cost-effective cloud-based technology solutions.

The OMB in December of 2011 followed up the implementation plan with a memorandum on Security Authorization of Information Systems in Cloud Computing Environments, which established the Federal Risk and Authorization Management Program (FedRAMP). FedRAMP provides federal agencies a cost effective standardized approach to security assessment, authorization and continuous monitoring for cloud based services.

In February 2012 the OMB released the FedRAMP Concept of Operations (CONOPS) to provide CSPs guidelines for using 3PAOs (Third Party Assessment Organizations). The FedRAMP CONOPS defined security control baselines for low and moderate impact level systems which were defined in FIPS (Federal Information Processing Standards) Publication 199.

The security controls used in the baselines were selected from NIST (National Institution of Standards and Technology) Special Publication 800-53 Revision 3 security controls and enhancements.

The CONOPS also includes additional requirements such as the use of FedRAMP templates, test cases, and ongoing assessment and authorization processes. There is certainly a plethora of documentation around FedRAMP but the most important thing to know is requirements are derived from NIST Special Publication 800-53 Revision 3 security controls and enhancements based on FIPS 199 system impact levels.

For more information on navigating the FedRAMP security assessment process please review the Guide to Understanding FedRAMP which was released in October 2012.