Skip to main content

June 2015 FedRAMP Newsletter

New Compliant CSPs!

The FedRAMP PMO is excited to announce two new FedRAMP compliant cloud systems!

 VirtuStream logo Virtustream Inc. received a JAB Provisional Authorization on June 5, 2015. Virtustream Federal Cloud (VFC) is an Infrastructure as a Service (Iaas). The company describes their product, xStream, as “secure, high-performance cloud software” that enables governments to run secure public clouds.
 Appian_DiamondLogo_solidRED Appian received an Agency Authorization through the Federal Transit Administration (FTA) on April 23, 2015. Appian Cloud is a dual Platform as a Service (PaaS)/Software as a Service. This enterprise application that unites users with all their date, processes, and collaborations – in one environment, on any mobile device, through a social interface. With Appian Cloud, Federal Agencies can rapidly build, deploy, use, and scale innovative apps.

FedRamp now has 36 compliant CSP systems. A complete list of all FedRAMP compliant CSPs can be viewed here.

Feature Item

The Value of Quality Management to CSPs

Cloud Service Providers (CSPs) who incorporate Quality Management into their Authorization Package development projects will realize a return on their investment throughout the FedRAMP Review process. Quality documentation is clear, concise, consistent, and complete. Quality documentation minimizes costly rework and time consuming delays caused by clarifying misunderstandings and waiting for missing documentation. FedRAMP requires quality documentation to provide a clear and complete description of the risk posture of a cloud system and reduce an Agency’s level of effort to reuse an Authorization Package. Read More.

FedRAMP to Unveil New Training Course

If you found FedRAMP’s first training course helpful, then you will be excited to learn the next training course is not too far behind! Expected to launch on July 1, 2015, the second course in our training series, “FedRAMP System Security Plan (SSP) Required Documents” will be mandatory for SSP submission. This course will familiarize you with the required documentation for initial package submission.

The FedRAMP PMO understands that writing a detailed SSP is necessary for a successful initial review. This course will provide a detailed overview of an SSP and its supporting documents, to give you the tools to accurately describe your system’s security controls. This is the second course in the FedRAMP training series and more will be released in the coming months.

New Document: JAB P-ATO Vulnerability Scan Requirements Guide

FedRAMP requires all Authorized Cloud Service Providers (CSP) to perform at least monthly vulnerability scans of their cloud service systems. These vulnerability scans are the cornerstones for the continuous monitoring of CSPs’ cloud service risk postures, enabling authorizing officials to continue to authorize CSP cloud systems for use. CSPs are responsible for ensuring the highest quality vulnerability scans. FedRAMP evaluates all vulnerability scanning reports and provides a summary report to the Joint Authorization Board (JAB). In this way, FedRAMP maintains a current view of the security posture of the CSP systems through scanning and continuous monitoring documentation.

On June 3, 2015, the FedRAMP PMO released the “JAB Provisional Authorization (P-ATO) Vulnerability Scan Requirements Guide.” This document describes the requirements for all vulnerability scans of FedRAMP CSP products. Consult the guide for a full listing of vulnerability scan requirements.

Upcoming Events:

FedRAMP in the News:

Page of