For FedRAMP, GSA is using ISO 17020, which looks for independence, impartiality and integrity in the process.
“The evidence of independence and impartiality will be taken quite seriously,” said Kathy Conrad, GSA’s principal deputy associate administrator in the Office of Citizen Services and Innovative Technologies. “The success of FedRAMP depends on the integrity and rigor of these third-party assessments. If there is any question that they are not done fairly and consistently and with real independence that would undermine the whole concept of FedRAMP. That is one of the reasons why we are being so determined those third party assessments are in fact done by organizations that are independent of cloud services.”
Conrad said more than 200 people attended the event and she said there was a sense of anticipation and excitement that FedRAMP finally is moving along. The Office of Management and Budget Dec. 8 issued a policy memo detailing how the program will work.
GSA will lead the effort to choose third-party assessment organizations, which will be the first step vendor providers of clouds services must go through before receiving a provisional authority to operate from FedRAMP’s Joint Authorization Board (JAB).
McClure said the third parties will be independent of the government and charge cloud service providers to analyze their software or hardware to ensure it meets the FedRAMP standards.
The notice GSA released detailed the application process for third-party assessment organizations.
Conrad said GSA will answer all industry questions by Jan. 6 and start accepting the first-wave third-party assessment applications by Jan. 9.
She said the first round of applications will close Jan. 20, but GSA will continue to accept third party proposals on an ongoing basis.
Conrad said the first set of third-party assessers should be named 45 days after the initial application period closes.
FedRAMP security controls coming soon
GSA also will issue the FedRAMP security controls on or about Jan. 8 and the concept of operations will come in February, Conrad said. GSA expects FedRAMP to meet initial operating capability by late spring.
It will take approximately a full year to get FedRAMP to full operational capability, McClure said.
“We will run the companies under the infrastructure-as-a-service contract run through the process to understand the deltas,” he said. “Part of the way FedRAMP intends to operate is there will be a baseline standard that agencies have to meet. Then they are able to add additional controls beyond the baseline.”
Conrad added she thinks the difference between what the IaaS vendors went through for approval by GSA will be small with what they still have to do to meet FedRAMP requirements.
And once GSA awards the blanket purchase agreement for e-mail-as-a-service, McClure said those vendors also will go through FedRAMP.
“What you will see evolving between now and the next six months is a prioritized list of cloud services that will be the first to go through FedRAMP,” McClure said. “It will be multi tenant in nature, have the broadest impact and can be leveraged across the government.”