GSA Releases FedRAMP Guidelines for Agencies
The General Services Administration (GSA) released a new guide last week to give federal agencies and their contractors detailed instructions on the mandatory authorizations scheduled to begin this June.
The Federal Risk and Authorization Management Program (FedRAMP) will streamline and expedite the methods for approving certain services. The newly released, 47-page “concept of operations” details the process that will occur after an independent auditor approves the product of service’s compliance with standardized controls, explaining that Department of Homeland Security (DHS) and FedRAMP officials will evaluate the services to ensure the protections remain viable.
Cloud providers have expressed concern with the program, as FedRAMP guidelines require a new risk reassessment for any system or feature upgrade, and some cloud providers frequently update their services. The reassessment must be made for any material change, the new guidelines said.
“These changes include, but are not limited to, [the cloud service provider’s (CSP)] point of contact with FedRAMP, changes in the CSP’s risk posture, changes to any applications residing on the cloud system, and/or changes to the cloud system infrastructure,” GSA said in the concept of operations.
The CSP will have to address any risks identified by the independent auditor and send the assessment to an interagency board with representatives from DHS, GSA and the Pentagon. The board will then decide whether to authorize the product despite its risks or have the CSP go back and resolve any weaknesses, GSA officials said. If the board approves a certain product or service, that CSP will be listed as an authorized government-wide provider on the FedRAMP website.
The concept of operations released last week goes on to explain the continuous security measures that CSP must implement in accordance with the program. Suppliers must hire an auditor to annually reassess the product or service and ensure that the safeguards are still working and the product or service must feed security updates to DHS.
The concept of operations is available here.
Posted in General News