By: Dan Chenok
GSA is now into its 5th year of overseeing the Federal Risk and Authorization Management Program, which GSA’s website describes as “a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.” FedRAMP recently entered the mobile space for cloud solutions, which will bring great benefits to agencies and promote the use of cloud as a platform for mobile innovations.
co-authored by guest blogger Andras Szakal, Vice President and CTO, US Federal, IBM
Benefits from FedRAMP
FedRAMP has made great strides in operationalizing the federal security C&A process. FedRAMP brings commercial best practices standardization of the process for cloud security, and does across agencies in a way that also provides consistency across the entire federal government. Agencies can recognize the C&A/certification and obtain an Authority to Operate (ATO) for a cloud solution that another agency has provided, or that has been completed based on a review by the “Joint Authorizing Board” (JAB). This process has created significant improvements in the marketplace for cloud services in government, as detailed in a prior blog post.
The FedRAMP process is leading to more secure software production across industry. FedRAMP (along with the European Union ISO requirements) is pushing commercial providers to integrate security compliance into end to end development, deployment and devOps practices. For example, automated tooling helps product teams understand and develop FedRamp packages, automated processes for continuous monitoring within devOps processes promote consistency in Federal and commercial environments.