On December 8, 2011, OMB issued the “Security Authorization of Information Systems in Cloud Computing Environments” policy, defining the Federal Risk and Authorization Management Program (FedRAMP). As the first steps in implementing FedRAMP, GSA published a revised set of security controls for Low and Moderate baselines (tailored specifically for cloud services) and released the FedRAMP Concept of Operations (CONOPS) on February 7, 2012.
So what does it all mean?
According to the CONOPS, “FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. This approach uses a ‘do once, use many times’ framework that will save cost, time and staff required to conduct redundant agency security assessments.”
In this case, “do once” means that any cloud service provider (CSP) can apply for and receive a provisional authorization from FedRAMP. “Use many times” means that any and all agencies then can leverage the existing authorization for that specific CSP into their own ATO packages. By eliminating duplication of effort with the compliance process across agencies, there are major cost savings to both government agencies and service providers.
Great idea! So how do we do this?
Third Party Assessment Organizations, labeled in the FedRAMP program as (3PAO), will play a critical role in the process. According to FedRAMP, “Third Party Assessment Organizations perform initial and periodic assessment of CSP systems per FedRAMP requirements, provide evidence of compliance, and play an ongoing role in ensuring that CSPs meet requirements.” No CSP will be awarded a provisional authorization without first undergoing an independent assessment by a FedRAMP-approved 3PAO, and periodic 3PAO assessments thereafter.
How TalaTek can help.
TalaTek’s Enterprise Compliance Management Solution (ECMS) methodology, implemented in 2008, was designed to standardize processes and manage costs. Our solution utilizes the “do once, use many times” approach by creating defined, repeatable workflows, standard procedures. In addition, ECMS can store and produce customized artifacts such as system security plans, collected evidence, standard templates and targeted NIST control sets.
In practical terms, this means that the cost, level of effort and dedicated resources assigned to the FISMA/FedRAMP compliance, reporting and ongoing continuous monitoring tasks are reduced over time, resulting in a sustainable, cost-efficient model for any service provider and its customer/Federal agency.
Our methodology is perfectly suited to meet the FedRAMP requirements. TalaTek is in the process of applying for FedRAMP 3PAO status.