The FedRAMP provides a risk-based approach for the adoption and use of third-party cloud services by making available to federal departments and agencies standardized security requirements for the authorization and cybersecurity of cloud services for selected information system impact levels.
It also provides a conformity assessment program capable of producing consistent independent, third-party assessments of security controls implemented by cloud service providers, in addition to authorization packages of cloud services reviewed by a Joint Authorization Board consisting of federal security experts, standardized contract language to help departments and agencies integrate security requirements and best practices into acquisition, and a repository of authorization packages for cloud services.
Federal Information Security Officer Steven VanRoekel predicted that FedRAMP would cut cloud security costs by 30% to 40% by reducing duplicate efforts, inconsistencies, and inefficiencies associated with the current federal security authorization process.
“By using an agile and flexible framework, FedRAMP will enable the federal government to accelerate the adoption of cloud computing by creating transparent standards and processes for security authorizations and allowing agencies to leverage security authorizations on a government-wide scale”, VanRoekel said in a Dec. 8 memo to federal chief information officers.
The FedRAMP program took two years to develop. A draft program was released over a year ago. At that time, the government was predicting the program would be ready in the first quarter of 2011.