FedRAMP Compliant CSPs
The FedRAMP PMO is excited to announce that four new systems have joined the list of FedRAMP compliant cloud systems.
Through the JAB, the following vendors have received a P-ATO:
- Clear Government Solutions (CGS) FedGRID Government Community Cloud,
- SecureKey Briidge.net Exchange™ for Connect.Gov, (formerly FCCX) and
- Oracle Service Cloud
Additionally, the first CSP Supplied path package is now available:
- QTS (Quality Technology Services) Federal Cloud
Multiple Paths to FedRAMP Compliance
Since launch, it has been clear that there are three basic paths to achieving FedRAMP compliance: (1) the JAB P-ATO path (2) the Agency ATO path, and (3) the CSP-supplied path. This month with the introduction of FedRAMP’s first CSP-supplied path package, we want to review the three paths for achieving FedRAMP compliance.
The JAB P-ATO is arguably the most rigorous , but it is also the most time consuming (and consequentially, most expensive) path. The Agency ATO path allows CSPs to work directly with a customer Agency to achieve a FedRAMP compliant ATO, which is verified by the FedRAMP PMO for inclusion within the FedRAMP repository. The third path, CSP-supplied, is designed for CSPs who don’t have a current Federal footprint. In this instance, the FedRAMP PMO acts like a “clearing house” to verify a CSP has a completed security authorization package. CSPs can submit a completed package, have it reviewed and verified by the FedRAMP PMO, and have it stored in the FedRAMP secure repository for an agency to review and authorize.
There are a lot of opinions about the pros and cons of each type of package. Whatever your opinion is, we at the PMO want to make sure our stakeholders understand that no matter which path a CSP takes, JAB, Agency, or CSP supplied, at the end of the day, all three paths demonstrate FedRAMP compliance and can be leveraged by any agency. In fact, the OMB policy memo requires agencies to initiate authorizations with any existing FedRAMP compliant packages. While there may be differences in the rigor with which the package was analyzed by the Federal government, the responsibility ultimately falls on individual agencies to review these packages for appropriateness, review the risk (and potentially require CSPs to address key risk areas), and make a decision whether or not to authorize a CSP for use based off the package.
Release of “FedRAMP Forward: Two Year Priorities”
FedRAMP’s success over the last two and a half years can be attributed to our core principles of transparency, consensus building, and stakeholder trust and buy-in. We have developed “FedRAMP Forward: Two Year Priorities” to share our key objectives, continue to expand and enhance the program effectively, and address key program issues critical to our continued success.
As FedRAMP looks towards the next two years, there are three goals identified within this document to address how we grow thoughtfully, deliberately, and effectively. First is to engage more directly with stakeholders to improve understanding of FedRAMP to ensure the benefits of the program are fully realized. Second, focus on finding key areas of efficiencies to make the FedRAMP process faster and to optimize utilization of stakeholder resources. Finally, FedRAMP will continue to evolve by addressing the changing needs of stakeholders and ensuring the program meets the ever evolving cybersecurity landscape.
These goals and key issues have been translated in to a roadmap with deliverables roughly every six months. We will continue to provide updates on this roadmap and will evaluate the overall progress and validity of each initiative throughout full implementation of FedRAMP Forward over the next two years.
Please click here to download FedRAMP Forward.
New FedRAMP Logo
FedRAMP has implemented a new logo! The FedRAMP PMO has been working to subtly update the FedRAMP logo to give it a more modern and fresh look. The FedRAMP PMO has released an update to the Branding Guidance to reflect use of the new logo as well as high resolution images of the new logo.