The Federal Risk and Authorization Management Program or FedRAMP has been established to provide a standard approach to Assessing and Authorizing (A&A) cloud computing services and products. FedRAMP allows joint authorizations and continuous security monitoring services for Government and Commercial cloud computing systems intended for multi-agency use. Joint authorization of cloud providers results in a common security risk model that can be leveraged across the Federal Government. The use of this common security risk model provides a consistent baseline for Cloud based technologies. This common baseline ensures that the benefits of cloud-based technologies are effectively integrated across the various cloud computing solutions currently proposed within the government. The risk model will allow the government to enable multiple agencies to gain the benefit and insight of the FedRAMP's Authorization and access to service provider's authorization packages.
The FedRAMP program is managed under the auspices of the Federal Chief Information Officers' Council.
The NIST role in the FedRAMP program has been to serve as a technical advisor in two key areas: 1) providing recommendations on the application of NIST SP 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, and 2) providing recommendations on the application of security controls selected from NIST SP 800-53 Recommended Security Controls for Federal Information Systems, for low security impact and moderate security impact Cloud Computing information systems.
FedRAMP Comments
GSA in coordination with the CIO Council have posted the Proposed Security Assessment and Authorization for U.S. Government Cloud Computing for government and industry comment, as well as the reference documents referred to in the main document. The proposed Security Assessment and Authorization for U.S. Government Cloud Computing document and reference materials can be downloaded from the GSA site through December 2, 2010