A program intended to standardize the government’s security certification of cloud products and services is now accepting vendor applications.
Starting Wednesday, cloud service providers and agencies can apply to have products and services vetted under the Federal Risk and Authorization program (FedRAMP). The program is managed by the General Services Administration.
Companies that already provide cloud technology to agencies under GSA’s Infrastructure-as-a-Service contract will be among the first to have their technology vetted through FedRAMP. Companies on existing government contracts that provide popular cloud services, such as email services, will get priority vetting early on.
By June 2014, all cloud services and products in use at federal agencies or in an active acqusition process must meet FedRAMP requirements. Click here for more information about the FedRAMP process.
An initial group of nine organizations has been selected to provide independent security reviews of cloud products and services used in the federal government.
As part of the Federal Risk and Authorization program (FedRAMP), expected to launch June 6, vendors must work with an approved third party assessment organization, or 3PAO, to validate if they’ve implemented baseline security standards. For years, these security reviews have varied across government and have cost agencies millions of dollars each year.
Approved 3PAOs include (click here for contact information):
Department of Transportation Enterprise Service Center
Dynamics Research Corporation
J.D. Biggs and Associates Inc.
Knowledge Consulting Group, Inc.
SRA International, Inc.
Veris Group, LLC
A review board, comprised of officials from the National Institute of Standards and Technology and GSA, selected the first wave of 3PAOs. As part of the FedRAMP process, vendors must contract with a 3PAO to assess the security of their products and services.
“The accreditation process will eventually migrate to a board managed by private sector organizations,” according to FedRAMP concept of operations document. “After the private sector accreditation body has been established, the FedRAMP PMO (program management office) will establish a transition timeframe for all 3PAOs to be accredited by the privatized board.”