In this month’s newsletter:
- New FedRAMP Compliant CSPs.
- Guidance for Agency Assessments and Authorizations
- DoD CC SRG v1 Release
- New Personnel Announcements
- FedRAMP is Hiring
- Upcoming Public Releases
NEW FEDRAMP COMPLIANT CSPS
The FedRAMP PMO is excited to announce that a new systems have joined the list of FedRAMP compliant cloud systems.
- Edge Hosting, LLC , CloudPlus
- Project Hosts , Federal Private Cloud
The brings us to a total of 29 FedRAMP compliant cloud services! The details about each offering can be found here.
GUIDANCE FOR AGENCY ASSESSMENTS AND AUTHORIZATIONS
The FedRAMP PMO has released a quick guide to illustrate the process towards obtaining an FedRAMP agency ATO. This high level guide points to the assessment process found in the FedRAMP Security Assessment Framework and emphasizes the documents needed in order to submit a package for an Agency ATO.
The guide provides a checklist of the agency ATO package documents required in order for a package to be properly submitted to the FedRAMP PMO. Additionally, the guide provides a sample Certification Letter which agencies can use as a template when creating their own letters.
To download the Guidance Package for Agency ATO please click here.
DoD CLOUD COMPUTING (CC) SECURITY REQUIREMENTS GUIDE (SRG) V1
The DoD Cloud Computing (CC) Security Requirements Guide (SRG) Version 1 was published on 13 January 2014. This SRG defines the baseline security requirements for commercial and DoD Cloud Service Providers hosting DoD Information, Systems, and Applications; and for DoD Mission Owner’s use of commercial and DoD cloud Services. This guidance is based on the DOD Instruction 8510.01, Risk Management Framework, leveraging the processes defined as part of the Federal Risk and Authorization Management Program FedRAMP V2 using NIST SP 800-53 Rev 4 control requirements.
In accordance with DoD Instruction 8500.01, the CC SRG Version 1 is released for immediate use. The document is available on here.
DOD will be holding an industry day regarding the release of the CCSRG v1. Registration details are at the end of this newsletter.
NEW PERSONNEL ANNOUNCEMENTS
We’ve had some personnel changes here at the FedRAMP PMO and wanted to share with everyone who they’ll be interacting with and what their roles are here on the PMO.
Matthew Goodrich FedRAMP Director
On November 28, 2014 Matt Goodrich was announced as the new FedRAMP Director. If you’ve been following FedRAMP at all, you know that Matt has been with the FedRAMP program since it’s inception in 2011, and played a major role in writing the policy document that established it while he was on detail to OMB. Previously, Matt was the program manager and acting director for FedRAMP, proving his leadership capabilities by helping get FedRAMP to where it is today and we look forward to even further success for the program as he officially takes the lead. You can follow Matt on Twitter here.as @MrFedRAMP
Claudio Belloli FedRAMP Program Manager for Cybersecurity
Claudio Belloli joined the FedRAMP team in July of 2014 as the Program Manager for Cybersecurity. Claudio currently oversees all of the vendors going through the JAB P-ATO Process , acting as an Information System Security Manager on steroids. He works with the PMO’s ISSO team, CSPs and 3PAOs to ensure that they meet the rigorous reviews set forward by the JAB and that vendors with a P-ATO continue to maintain their authorizations through Continuous Monitoring. Claudio previously worked for Booz Allen Hamilton support the DOD CIO, and was an original member of the DOD JAB technical review teams for the first FedRAMP provisional ATOs. We’re thrilled to have him join the team and bring his expertise as we continue to expand the CSPs we authorize through the JAB.
John Hamilton FedRAMP Program Manager for Operations
John is joining the FedRAMP team on Monday January 26 as the Program Manager for Operations. John will oversee much of the development work of the FedRAMP PMO and facilitate full implementation of the FedRAMP Forward plan released in December. He’ll also work with Claudio to ensure that all of the lessons learned from the JAB P-ATO process are fully incorporated in the guidance documents, trainings, and materials available for all FedRAMP stakeholders. John previously worked for Accenture and Booz Allen Hamilton. John is bringing a wealth of technical knowledge through working on PKI rollouts at DOL and mobility policy development and enforcement at DOD. Also, he’s worked extensively on improving program efficiencies and change management. We’re really excited to have John join the team here at the PMO.
THE FEDRAMP TEAM IS HIRING
The FedRAMP team is hiring. If you’re interested in joining this fast paced, highly visible program and have experience with cloud and cybersecurity, please reach out to the PMO through info@FedRAMP.gov with a resume, cover letter describing your interest in FedRAMP and why you’d be a strong addition to the team. We’re looking for people with great technical backgrounds, awesome program management skills, and also don’t mind digging in and doing some work. Please put “FedRAMP Hiring” as the subject to your email. We’re looking to hire ASAP so get it to us as soon as possible.
UPCOMING RELEASES FOR PUBLIC COMMENT
FedRAMP will be releasing a draft baseline for cloud systems at the high impact level. The FedRAMP team has been working diligently with key stakeholders across the Federal government to develop the draft. This baseline will be release on Tuesday, 1/27/2015. The baseline will be out for public comment for 45 days.
FedRAMP will host a webinar to review the high baseline, answer questions, and provide details on how to provide comments back to the FedRAMP JAB. The webinar will be Wednesday 1/28 from 1-2pm.
This will be the first of two public comment periods FedRAMP will provide our stakeholders before finalizing the baseline. The baseline is expected to be finalized prior to the end of CY15.
FedRAMP Acquisition Guidance
The enforcement of the FedRAMP requirements must be done through Federal agency contracts. Right now there is not enough guidance for agency program manager, acquisition officials, and chief information security officers to appropriately enforce FedRAMP in a consistent manner across the USG.
FedRAMP is working with OMB, the CIO Council, and CAO Council to develop guidance for agencies in effectively including FedRAMP within their contracts to ensure CSPs meet these FedRAMP requirements, but also to encourage agencies to not only work with CSPs to obtain these authorizations, but allow for appropriate time to get through the entire FedRAMP assessment and authorization process.
Drafts of this guidance will go out for comment in February and will be open for 3-4 weeks for input from government and industry.
DOD CLOUD INDUSTRY DAY DETAILS
DoD CIO Cloud Industry Day: Collaboration for Secure Cloud Partnerships
On January 29, 2015, the Department of Defense Chief Information Officer (DoD CIO) will host a Cloud Industry Day at the U.S. Department of Commerce auditorium in Washington, D.C. The event, scheduled from 9:00 a.m. to 3:00 p.m., will consist of opening remarks by Acting DoD CIO Terry Halvorsen, followed by plenary and panel sessions examining the cradle-to-grave process for cloud service providers and users/customers, as well as new constructs to identify the appropriate security for the use of commercial cloud computing. Attendance is free, but pre-registration is required. The deadline for registration is January, 26, 2015 by 2:00 p.m. Pre-registration instructions, logistical information and security compliance requirements are listed below.
The purpose of this unclassified conference is to provide a detailed overview and comprehensive guidance to cloud service providers and customers about the various processes, security and other requirements associated with DoD’s policy and approach to leveraging commercial cloud while balancing risks across a wide spectrum of computing needs. Attendees will also have an opportunity to learn about related and/complementary initiatives underway to move the DoD computing into a commercial cloud infrastructure.
Date and Time
January 29, 2015
Check In : 7:30 a.m. – 09:00 a.m.
Program : 9:00 a.m. , 3:30 p.m..
U.S. Department of Commerce (14th Street Entrance)
1401 Constitution Ave. NW
Washington, D.C. 20230.
Be prepared to present photo identification upon arrival.
- Online pre-registration is required. On-site registration is unavailable.
- Pre-registration opens on January 15, 2015. To pre-register visit: https://www.iad.gov/events/index.cfm
- Pre-registration closes January 26, 2015 at 2:00 PM.
- Attendees will be emailed a confirmation of registration.
Email registration and site questions to firstname.lastname@example.org
Email event questions to email@example.com
Please include “DoD CIO Cloud Industry Day” in the subject of the email.