New Compliant CSPs!
The FedRAMP PMO is excited to announce two new FedRAMP Compliant cloud systems!
|Autonomic Resources LLC received a JAB Provisional Authorization on October 9, 2015. The ARCWRX Platform-as-a-Service (PaaS) offering, built on RedHat OpenShift, provides an application development platform within a multi-tenant virtual environment leveraging the ARC-P IaaS system.|
|Datapipe received a JAB Provisional Authorization on October 9, 2015. The Datapipe Government Solutions Federal Community Cloud Platform (FCCP) provides a unique approach to security that allows federal agencies to have more control and flexibility to meet their unique security needs. This platform is one of the first P-ATOs issued to a PaaS cloud service provider covering management through the virtual operating system.|
FedRamp now has 22 JAB P-ATOs and 50 FedRAMP Compliant CSP systems! A complete list of all FedRAMP Compliant CSPs can be viewed here.
|“There is no real cloud security model that’s been written in the U.S. outside of FedRAMP. Enterprises want a model they can snap into, and I think FedRAMP is as good as model as any.”~ Teresa Carlson, Amazon Web Services’ Vice President of Worldwide Public Sector|
Commonly Missed Documents
Submitting a complete authorization package helps to speed-up processing time and the time to initiate a package review. But the PMO office has noticed a trend of Cloud Service Providers (CSPs) neglecting to include the fifteen required documents for an Initial Review. A list of the required documents can be found in the Initial Review Standard Operating Procedure.
The PMO has put together a list of the top five commonly missed required documents to help CSPs put together a complete Authorization Package the first-time around.
Lessons Learned: Initial Review
Over the past few months, the FedRAMP PMO has conducted nearly 20 Initial Reviews of CSP packages. These reviews evaluated twenty-one Critical Controls for readability, relevance, sufficiency, and consistency. FedRAMP’s definition of each criteria is as follows:
Readable: Can we understand what was written?
Relevant: Did the statement actually address the control requirement?
Sufficient: Is there enough detail to fully address all portions of the requirement and meet any security related needs?
- Tip: This is usually the “how” of a control statement.
Consistent: Do the implementation statements and the control template checkboxes match?
- Tip: Is Implemented checked when a response describes the solution is in place?
New Team Member!
We’re incredibly excited to announce another team member joining FedRAMP, Ashley Mahan! Ashley has served as a trusted Cyber Security Advisor for the Federal Government for the past decade and her joining the FedRAMP Team will help lead the effort to integrate FedRAMP and Cloud Computing into Agency IT Portfolios.
Now Available: Review and Approve Training Module
FedRAMP’s “Review and Approve (R&A) Process” training module is now available on Blackboard. This training is designed to help FedRAMP Cloud Service Provider (CSP) and agency applicants understand the process to achieve FedRAMP compliance.
Students will learn:
The roles and responsibilities of CSPs, FedRAMP PMO, and Authorizing Officials
The designations given to authorization packages throughout the R&A process
FedRAMP in the News:
- Private companies heart government cloud security controls (FedScoop)
- Teresa Carlson: FedRAMP impacts enterprise cloud security baselines, AWS GovCloud use (Executive Biz)
- Nextgov: Autonomic Resources’ open source PaaS gets FedRAMP approval (Executive Biz)
- FedRAMP TIC overlay pilots to answer questions around agency, cloud provider responsibilities (Fierce Government IT)
- Challenge.gov and change in government (FCW)
- Dave Rey: Salesforce to offer analytics cloud for gov’t under FedRAMP ATO (State Scoop)
- FedRAMP turbocharges smooth entry into cloud services for government mobility (Security Intelligence)
- Andra Szakal, Dan Chenok highlight FedRAMP mobile benefits (GovCon Wire)
- IBM’s Andras Szakal, Dan Chenok overview FedRAMP’s mobile offerings (Executive Biz)
- DoD reaches 36 ‘provisional’ authorizations for commercial cloud services (Federal News Radio)
- Moving beyond pre-season in the Federal cloud (Nextgov)