For two years, the federal Office of Management and Budget, together with several other executive branch agencies, has been working on a project to speed up the process of certifying that commercial cloud-service providers can guarantee a sufficient level of cybersecurity. The project is the Federal Risk and Authorization Management Program (FedRAMP), and it applies to data of medium and low sensitivity.
FedRAMP’s goal is to create a single certification process that all federal agencies can use for cloud-service providers. Such a process would save time and effort for both the agency and the cloud provider.
In February 2012, the government released the concept of operations for FedRAMP and chartered the FedRAMP Joint Authorization Board, consisting of CIOs from the Homeland Security and Defense departments and the General Services Administration. This group will approve contractors to certify third-party cloud providers, part of a complex apparatus that’s scheduled to begin operation later this year but will not be fully operational until mid-2013.
In the meantime, federal agencies can reference the security controls that FedRAMP will eventually use to vet cloud providers. The standards were developed in conjunction with the National Institute of Standards and Technology (NIST) and are applicable to any agency — federal, state or local — looking for assurance that its unclassified data will be safe in the cloud.