The Obama Administration on Thursday launched a program that establishes cloud computing security standards designed to make it easier for federal agencies to assess and acquire cloud services.
The Federal Risk and Authorization Management Program (FedRAMP), developed over the past two years in collaboration with local governments, academia and private industry, sets a standard approach to security assessment, authorization and continuous monitoring for cloud products and services, which every agency will be required to use, Federal CIO Steven VanRoekel said in a blog post.
“This approach uses a ‘do once, use many times’ framework that will save cost, time and staff required to conduct redundant agency security assessments so no one has to reinvent the wheel,” he said.
Agencies spent “hundreds of millions of dollars on these types of activities” last year, he said. With FedRAMP, the government can save 30% to 40% of these costs, he estimated.
VanRoekel issued a memo to federal CIOs that formally established FedRAMP, described its key components, defined agency responsibilities in maintaining the program, and set requirements for agencies using it.
FedRAMP, which includes standardized contract language, will reduce duplicative efforts, inconsistencies and cost inefficiencies, he said. The program will allow the federal government to speed “the adoption of cloud computing by creating transparent standards and processes for security authorizations and allowing agencies to leverage security authorizations on a government-wide scale,” VanRoekel said.
Within 30 days, the CIO Council is scheduled to publish a baseline of security and privacy controls, as well as controls selected for continuous monitoring included within the FedRAMP requirements. The program will begin operations within 180 days.