Federal Chief Information Officer Steven VanRoekel, who released details of the plan, called the finalized Federal Risk and Authorization Management Program a “first step” in ongoing cloud security.
“We will continue to get feedback, continue to evolve and take the FedRAMP process forward.” VanRoekel said.
But how is industry reacting, so far?
Jennifer Kerber, the vice president of homeland security at TechAmerica, an industry group representing technology contractors, joined In Depth with Francis Rose to discuss the finalized FedRAMP plan.
“We’re excited the FedRAMP policy is out there,” Kerber said. “We look forward to seeing the controls, and we look forward to working with the government on implementing FedRAMP, especially as it’s sort of the first step in making cloud easier to deploy and quicker to deploy for low- and moderate-security level programs.”
One of the benefits could come in streamlined certification and accreditation, Kerber said, which is now mostly a fragmented, agency-by-agency process.
She cited research showing the government spent $300 million in 2009, alone, on that review process. “And that’s on the government side. Industry pays a price for those C&As as well,” she added.
“So, if we have a uniform, unified approach to risk management for cloud programs and we could go through and receive an authority to operate across government — so we’re not doing it continually all the time — it’s a cost-savings to industry and government.”
And that, in turn, could help speed the adoption rate of cloud services, Kerber said.
Federal CIO Steven VanRoekel called this approach a “do once, use many” approach. The Defense and Homeland Security Departments, along with the General Services Administration will oversee a governmentwide FedRAMP authorization board, which will issue provisional authority for vendors to operate as well as approve third-party assessment organizations.