The workshop will review the security controls that federal agencies and cloud service providers must implement under the FedRAMP program, which establishes uniform federal security requirements for purchasing cloud services from vendors.
The FedRAMP provides a risk-based approach for the adoption and use of third-party cloud services by making available to federal departments and agencies standardized security requirements for the authorization and cybersecurity of cloud services for selected information system impact levels.
The FedRAMP security controls are based on the NIST Special Publication 800-53 Revisions 3, Recommended Security Controls for Federal Information Systems and Organizations, which contains a catalog of federal information security controls.
GSA explained that over 1,000 comments were received on the initial draft of the FedRAMP security controls, which was published in November 2010. To address these comments, the FedRAMP Program Management Office created tiger teams with representatives from the federal government to review, analyze, and make recommendations for actions based on each comment. The FedRAMP Joint Authorization Board (JAB), made up of federal security experts, reviewed and adjudicated these recommendations to create the FedRAMP security controls and enhancements.
The FedRAMP JAB has defined in its governance structure a process and method for the FedRAMP security controls to be updated and refined through agency input, updates to NIST 800-53, and regular reviews of the controls, GSA said.