can states take advantage of fedramp

Can states take advantage of FedRAMP?

The Federal Risk and Authorization Management Program is the law of the land for federal agencies looking to the cloud, but could FedRAMP become a broader standard for other governments as well?

Private-sector cloud providers have expressed a desire to leverage FedRAMP approval in other markets. And while the General Services Administration has neither the authority nor the desire to mandate FedRAMP compliance at other levels of government, voluntary adoption was certainly something to encourage, according to Matt Goodrich, the GSA’s FedRAMP director.

"GSA and FedRAMP have worked with the National Association of State CIOs since inception. Recently GSA briefed many of the state CIOs at NASCIO's DC Fly-In on ways that they could leverage FedRAMP at the state level," Goodrich said on June 26 at the Amazon Web Services Symposium in Washington, D.C.

"FedRAMP sets the bar for how to protect federal data when it resides in cloud environment," Goodrich said, and GSA "believes that state and local governments can leverage this security standard for comparable needs at the local level." 

Wade Daley, Canada's chief technology officer, said on June 26 at the Amazon Web Services Symposium in Washington, D.C., that he'd had "good discussions with the U.S. government on their FedRAMP program," and was looking at how Canada might adopt that approach.

Matt Goodrich, the General Services Administration's FedRAMP director, confirmed that discussions were ongoing. "The FedRAMP PMO has had conversations with Canada," he said, "and we are looking forward to continued discussions in person in July."

FedRAMP backgrounder

FedRAMP: The dawn of approve-once, use-often? (April 2010)
A new interagency approach to streamlining the security certification of shared software holds promise for government cloud computing.

7 ways government is working to improve FedRAMP (March 2011)
The General Services Administration's David McClure tackles some of the myths about the FedRAMP cloud security program and offers a list of areas a group of tiger teams is working on.

How FedRAMP could boost agencies' trust in the cloud (September 2011)
The Federal Risk Authorization and Management Program can help manage sophisticated threats and complex networks, Ron Ross, NIST's senior scientist, says.

Feds put some meat on FedRAMP's bones (February 2012)
The FedRAMP Concept of Operations document released by the General Services Administration gives the program structure as it prepares for initial launch in June.

FedRAMP approval is fine, but it's just the beginning (August 2013)
The program's standardized security controls can cover basic services like email and backup storage, but after that it gets complicated.

The future of FedRAMP (November 2014)
The General Services Administration's Matthew Goodrich predicts more agency-driven authorizations and previews a new two-year road map.

The uncertain marriage of CDM and FedRAMP (February 2015)
Two vast risk management programs are gradually converging. How smoothly and quickly they can do so remains an open question

FedRAMP: Red tape or silver bullet? (June 2015)
Federal tech leaders are torn on how FedRAMP could help or hinder the monumental shift to commercial cloud.

About the Author

Troy K. Schneider is editor-in-chief of FCW and GCN.

Prior to joining 1105 Media in 2012, Schneider was the New America Foundation’s Director of Media & Technology, and before that was Managing Director for Electronic Publishing at the Atlantic Media Company. The founding editor of NationalJournal.com, Schneider also helped launch the political site PoliticsNow.com in the mid-1990s, and worked on the earliest online efforts of the Los Angeles Times and Newsday. He began his career in print journalism, and has written for a wide range of publications, including The New York Times, WashingtonPost.com, Slate, Politico, National Journal, Governing, and many of the other titles listed above.

Schneider is a graduate of Indiana University, where his emphases were journalism, business and religious studies.

Click here for previous articles by Schneider, or connect with him on Twitter: @troyschneider.


inside gcn

  • modernization (chombosan/Shutterstock.com)

    IT modernization: Not a case of rip and replace

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group