Guidelines would speed certification of cloud products, services
GSA releases FedRAMP requirements for comment
The General Services Administration is seeking public comment on security requirements designed to speed up the certification and accreditation of cloud computing products and services. In coordination with the Federal CIO Council, GSA released the comprehensive requirements for the Federal Risk and Authorization Management Program today.
FedRAMP is an interagency initiative to provide a governmentwide certification process. The aim is to reduce costs and duplication when multiple agencies attempt to certify products and services for security compliance.
Agency and industry officials have anticipated the release of these security controls for public comment for months as GSA officials talked about their imminent publication at conferences throughout late summer and into the fall.
GSA and the CIO Council are seeking comments from federal agencies, vendors, and the public on process templates, guides, common security requirements, and other in-depth aspects of the program.
Thinking of a private cloud? Government gets an expanding choice
The documents are available at the FedRAMP website. Comments will be accepted through 11:59 p.m. Eastern Time on Thursday, Dec. 2. Two information sessions will be held in Washington during the comment period - one for government agencies, and one for vendors, GSA officials said. More information will be available on the FedRAMP site as details for these sessions are finalized.
"By simplifying how agencies procure cloud computing solutions, we are paving the way for more cost-effective and energy-efficient service delivery for the public, while reducing the federal government's data center footprint." Federal CIO Vivek Kundra said in a prepared statement.
"Ensuring data and systems security is one of the biggest and most important challenges for federal agencies moving to the cloud," said David McClure, GSA's associate administrator for citizen services and innovative technologies.
Seeking comment from industry, government and the public will ensure that the FedRAMP requirements maximize security while easing access toward the cloud, McClure said.
The first phase of FedRAMP is expected to be operational in first quarter of fiscal 2011.
Some vendors are already working to ensure that their technology is compliant with FedRAMP. For example, IBM officials are working with the government to certify a Federal Community Cloud the company announced this week.
Two federal agencies have signed on to the Federal Community Cloud so far, and IBM is waiting for the FedRAMP stamp of approval to proceed, said David McQueeney, chief technology officer with IBM’s U.S. Federal division.
Rutrell Yasin is senior editor for Government Computer News. Follow him on Twitter: @Yasin36.