Guidelines would speed certification of cloud products, services

GSA releases FedRAMP requirements for comment

The General Services Administration is seeking public comment on security requirements designed to speed up the certification and accreditation of cloud computing products and services. In coordination with the Federal CIO Council, GSA released the comprehensive requirements for the Federal Risk and Authorization Management Program today.

FedRAMP is an interagency initiative to provide a governmentwide certification process. The aim is to reduce costs and duplication when multiple agencies attempt to certify products and services for security compliance.

Agency and industry officials have anticipated the release of these security controls for public comment for months as GSA officials talked about their imminent publication at conferences throughout late summer and into the fall.

GSA and the CIO Council are seeking comments from federal agencies, vendors, and the public on process templates, guides, common security requirements, and other in-depth aspects of the program.


Related Coverage:

Thinking of a private cloud? Government gets an expanding choice


The documents are available at the FedRAMP website. Comments will be accepted through 11:59 p.m. Eastern Time on Thursday, Dec. 2. Two information sessions will be held in Washington during the comment period - one for government agencies, and one for vendors, GSA officials said. More information will be available on the FedRAMP site as details for these sessions are finalized.

"By simplifying how agencies procure cloud computing solutions, we are paving the way for more cost-effective and energy-efficient service delivery for the public, while reducing the federal government's data center footprint." Federal CIO Vivek Kundra said in a prepared statement.

"Ensuring data and systems security is one of the biggest and most important challenges for federal agencies moving to the cloud," said David McClure, GSA's associate administrator for citizen services and innovative technologies.

Seeking comment from industry, government and the public will ensure that the FedRAMP requirements maximize security while easing access toward the cloud, McClure said.

The first phase of FedRAMP is expected to be operational in first quarter of fiscal 2011.

Some vendors are already working to ensure that their technology is compliant with FedRAMP. For example, IBM officials are working with the government to certify a Federal Community Cloud the company announced this week.

Two federal agencies have signed on to the Federal Community Cloud so far, and IBM is waiting for the FedRAMP stamp of approval to proceed, said David McQueeney, chief technology officer with IBM’s U.S. Federal division.

About the Author

Rutrell Yasin is is a freelance technology writer for GCN.

Reader Comments

Wed, Dec 8, 2010

The current FISMA guidance, even in its latest form, do not fully take into consideration a cloud computing model. The migration to a "new" computing model provides us with the opportunity to re-think the necessary security and information assurance requirements and foundation.

Sat, Nov 13, 2010

Why invent another set of security requirements when NIST is already providing them under FISMA? More government duplication?

Sat, Nov 6, 2010 Betty Pierce, GSLC Colorado

Link for FedRAMP is incorrect, should be http://www.FedRAMP.gov

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above