Skip to main content

November 2014 Newsletter


At this time, the FedRAMP PMO is not sponsoring any events or training sessions.  Members of the FedRAMP team will be participating in the following events:

  • December 4, 2014 , Software Information Industry Association (SIIA) Members Meeting
  • December 4, 2014 (2-3PM) , NextGov Tech Exec Series: Roadmapping the Future of Cloud Computing
  • December 11, 2014 (3-3:30PM) , Federal Cloud Computing Summit (Fed Summit)
    • For more information click here

FedRAMP Authorized CSPs

This month Microsoft Office 365 Multi-Tenant & Supporting Services received an Agency Authorization from the Department of Health and Human Services Office of Inspector General.

The official list of the 23 compliant cloud services can be found here.

Documentation Release

On October 28, the FedRAMP PMO released an updated Plan of Action and Milestones template.  This updated template is available here.   The FedRAMP PMO has not released any other new or updated documents.

Public Comment Requests

The FedRAMP PMO appreciates the feedback provided on the various documents that have been posted for public comment. The PMO will publish the responses to the substantive comments on next week for the following documents:

  • Incident Response Requirements and Process Clarification
  • Vulnerability Scanning Requirements and Process Clarification
  • FedRAMP Continuous Monitoring Reporting and POA&M Template

Editorial comments submitted as part of the public feedback process will not be answered individually, but will be considered as part of our documentation update process.

In addition, The FedRAMP PMO would like to remind you that the updated FedRAMP Security Assessment Test Case Workbook is open for public comment until December 12, 2014.    We hope you take advantage of this public comment period by providing industry and expert feedback on the workbook to by the deadline.

As refresher, the FedRAMP Security Assessment Test Case Workbook provides a standard risk and controls template for assessing baseline controls and helps to drive consistency in the annual assessment testing performed by Third Party Assessor Organizations (3PAOs). 3PAOs use this workbook to test selected baseline controls per required test procedures and document any control deficiencies and findings. The updates the FedRAMP PMO made on the workbook reflect the significant changes to baseline control descriptions, enhancements and associated test procedures accordingly to NIST SP 800-53 Revision 4.

FedRAMP Ready Systems

Last month, the FedRAMP PMO implemented a new category of systems called FedRAMP Ready.  We noticed that this new category has caused some confusion as it relates to CSPs categorized as FedRAMP In Process or FedRAMP Compliant. The systems categorized as being the FedRAMP Ready have documentation ready to begin the Security Assessment Framework (SAF). However, it is important to note that FedRAMP Ready systems have not kicked off the SAF with an Agency or FedRAMP PMO and therefore are not yet considered FedRAMP In Process. To help provide further clarification about the FedRAMP Ready category, the PMO is releasing the graphic below to convey where that category falls in a CSP’s path to FedRAMP compliance.

Steps to FedRAMP Compliance

The FedRAMP PMO and Cloud Service Providers have been putting a significant amount of work into transitioning new systems into FedRAMP Ready systems. Recently, the systems GovDelivery Communications Cloud and SoftLayer Federal Cloud were added to the list of FedRAMP Ready Systems.

The current list of FedRAMP Ready Systems include:

  • CA Technologies
  • GovDelivery
  • OnCloud
  • PegaCloud
  • QTS (Quality Technology Services)
  • SoftLayer

For more information and to see those systems designated as FedRAMP Ready, click here.

FedRAMP In Process Systems

The FedRAMP PMO continues to work with Cloud Service Providers to transition systems to FedRAMP In Process. Currently, the FedRAMP PMO has 17 systems in process to receive a JAB Provisional Authorization and 18 systems in process to receive an Agency Authorization.

Systems that recently transitioned to the FedRAMP In Process status include:

  • BlackMesh , SecureCloud
  • Project Hosts , Federal Private Cloud for SharePoint / Project Server / CRM

To see the full list of FedRAMP In Process systems, click here.

Page of