At this time, no FedRAMP events are currently scheduled; however, the program recently held well-attended Industry and Agency Days. For those that were unable to attend one of these events in person, the FedRAMP PMO hosted webinars that provided a program update, an overview of the FedRAMP Security Assessment Framework, details on the updated FedRAMP Security Controls, information on FedRAMP documentation updates based on NIST SP 800-53 Rev 4, and a summary of FedRAMP continuous monitoring.
In June 2014, the FedRAMP PMO released an updated FedRAMP security control baseline and documentation templates to reflect changes in Revision 4 of the NIST SP 800-53 security control baseline. If you are a Cloud Service Provider or a Federal agency currently part of the FedRAMP program, or one who is considering entry into the program, please take time to understand the transition plan as well as reviewing key documents and templates to understand the requirements of the program.
PUBLIC COMMENT REQUESTS
On August 20, FedRAMP will be releasing a few documents for public release.
- FedRAMP’s Evolving Approach to Continuous Monitoring
- This is the first in a series of public comment requests to evolve the FedRAMP continuous monitoring program to a more risk-based framework.
- FedRAMP Continuous Monitoring Executive Summary and Plan of Action and Milestones (POA&M) Templates
- In an effort to make continuous monitoring requirements and reporting consistent for CSPs regardless of what security package they have (JAB, Agency, CSP supplied), these two templates will become mandatory documents for all packages.
- Updated Test Cases for Incident Response and Vulnerability Scanning. These test cases are being updated to more appropriately reflect the intent of the control and to ensure that a CSP not only has the capability to do these, but has working processes to achieve the goals of these controls. The documents will will be posted on fedramp.gov website for 30 days. Please watch for their posting, review them, and provide feedback and comments to firstname.lastname@example.org.
CSPS WITH A FEDRAMP AUTHORIZATION
At this time, 12 cloud services have obtained a FedRAMP JAB Provisional Authorization and 5 cloud services have obtained a FedRAMP Agency Authorization. The official list of compliant cloud services can be found here. If you are an agency that has worked with a CSP to complete a FedRAMP compliant security package and it is not listed on this page, please contact the FedRAMP PMO (email@example.com) so the necessary documentation can be filed. This will allow other agencies to leverage the security assessment documentation in support of the do once use many times approach to federal cybersecurity that FedRAMP enables. If you are an agency looking to leverage one of these authorization packages, please complete the package request form. Once you accepted the risks and issued an Agency ATO based off the FedRAMP package, please send the FedRAMP PMO (firstname.lastname@example.org) a copy of your ATO letter so we can keep track of FedRAMP Agency compliance.
CSPs IN PROCESS FOR A FEDRAMP AUTHORIZATION
FedRAMP currently has 15 Cloud Services in the process of attaining a JAB Provisional Authorization. A CSP pursuing a JAB Provisional Authorization officially kicks off with the FedRAMP PMO and is assigned a FedRAMP ISSO to work through meeting the FedRAMP security requirements. Additionally, a CSP has engaged the services of an accredited 3PAO to complete their security assessment. In addition to these Cloud Services, 12 Cloud Services are in process for an Agency Authorization. A CSP pursuing an Agency Authorization commits to working through the FedRAMP process with a Federal agency to meet FedRAMP security requirements. A listing of in process CSPs can be found here. In addition, the page contains a listing of CSPs that have demonstrated readiness to begin the FedRAMP authorization process and are waiting on a kickoff with either Federal agencies or the FedRAMP JAB. If you are are an agency ready to kick off with one of these CSPs, please let the FedRAMP PMO know. In addition, if you are CSP actively working on a FedRAMP Agency authorization, and your cloud service is not identified on the in-process list, please contact the FedRAMP PMO (info@FedRAMP.gov) so we can add the cloud service to the list.