Even the federal government gets it now. That is, the government has taken notice of the potential benefits and savings of cloud services. And since government data requires extra special care and compliance, cloud providers are creating government-centric offerings. The Federal Risk and Authorization Management Program (FedRAMP) aims to streamline service adoption across agencies with a “do once, use many times” approach to cloud service purchasing and implementation. By approving providers ahead of time, agencies can move quickly from provisioning to launch.
FedRAMP was created by the General Services Administration to improve efficiency. Agencies requiring cloud services rely on it to evaluate cloud services already cleared for government use. And participation in FedRAMP is mandatory for agencies requiring cloud services. Agencies using services not currently approved will have two years to prove compliance.
The list of approved cloud service providers cleared for governmental agencies is short and already contains prominent brands in the industry:
- Amazon Web Services
- Lockheed Martin
- CGI Federal
- US Department of Agriculture
Cloud service providers must submit to a three-pronged authorization process that includes a security assessment, security authorization, and ongoing assessment and authorization (near real-time). The FedRAMP Concept of Operations (pdf) outlines the entire approval process and compliance issues that must be addressed by providers applying for the program. The approval process can take up to six months.
As you might expect, the vetting process revolves around security. Providers must document and test security, then be subject to third-party review. FedRAMP doesn’t use an all-new standard, instead requiring compliance with the existing NIST SP 800-53.
FedRAMP was established to increase efficiency, reduce costs, and address the growing desire to move operations into the cloud. And while documented time and cost-savings from participating providers or agencies isn’t yet publicly available, there’s good reason for optimism. Access to deployment savings reports will likely prove the program’s value over time.