At this time, the FedRAMP PMO does not have any events or training sessions planned.
The FedRAMP PMO will be participating in the following events:
- October 28, 2014 , TechAmerica GSA/Cloud Working Group
- October 28, 2014 , 4th Annual Cyber Security Financial Forum in Washington, DC (www.csff2014.com)
- October 29, 2014 , USDA Cybersecurity Expo
FedRAMP Ready Systems
This month, FedRAMP is introducing a new category of systems highlighted on the FedRAMP website that have been reviewed by the FedRAMP PMO: FedRAMP Ready Systems. FedRAMP is including systems in this category that have a demonstrated readiness to initiate assessments and authorizations with potential agency customers.
As more and more cloud services enter the FedRAMP assessment process, FedRAMP is providing a new way to help agencies and CSPs achieve a FedRAMP authorization faster. FedRAMP Ready systems have documentation that has been reviewed by the FedRAMP PMO and at a minimum have gone through the FedRAMP PMO readiness review process. Systems in this category will have varying degrees of demonstrated readiness , from initial documentation to all required documentation and completed assessments from FedRAMP accredited 3PAOs. The listings for each FedRAMP Ready System will detail the specifics of what each vendor has provided and is available for agencies to use. Agencies can then use this documentation to initiate an assessment and authorize these systems in a faster time than starting from scratch.
FedRAMP Ready Systems will also incorporate open source build documentation to assist agencies in rapidly deploying these solutions in cloud environments in a secure fashion.
Systems listed as FedRAMP Ready include:
- CA Technologies
- Project Hosts
- QTS (Quality Technology Services)
For more information and to see those systems designated as FedRAMP Ready, please click here.
The FedRAMP PMO has not released any documents or document updates since the last newsletter.
Public Comment Requests
The FedRAMP PMO will be reaching out to Cloud Service Providers who provided comments on the “Evolution of FedRAMP Continuous Monitoring Framework” for further discussion.
In addition, FedRAMP is updating its Security Assessment Test Case Workbook to reflect significant changes to baseline control descriptions, enhancements and associated test procedures accordingly to NIST SP 800-53 Revision 4.
The workbook provides a standard risk and controls template for assessing baseline controls and helps to drive consistency in the annual assessment testing performed by Third Party Assessor Organizations (3PAOs). 3PAOs use this workbook to test selected baseline controls per required test procedures and document any control deficiencies and findings.
FedRAMP will seek industry and expert comment and feedback on this workbook. The FedRAMP PMO will post the workbook on www.FedRAMP.gov and the open public comment will start on November 3 and end on December 12.
FedRAMP Compliant CSPs
At this time, there are 21 cloud services meet the FedRAMP requirements. The official list of compliant cloud services can be found here.
The following systems recently received Agency ATOs:
- OMB MAX.gov Shared Services , FedRAMP Agency Authorization
- United States Department of the Treasury , Workplace.gov Community Cloud (WC2) , FedRAMP Agency Authorization
- Verizon Enterprise Cloud Federal Edition (ECFE) , FedRAMP Agency Authorization
If your agency has granted a FedRAMP compliant system, send the FedRAMP PMO a copy of your ATO letter to email@example.com to ensure your agency’s use of the cloud system receives updates and notifications from the FedRAMP PMO.
In addition to the cloud services who recently received an Agency ATO, the following CSPs in process for a FedRAMP JAB Provisional Authorization have moved to new phases in the security authorization framework:
- Clear Government Solutions , FedGRID , now in authorization phase
- SecureKey (leveraging HP ECS-VPC) , briidge.net Exchange™ for FCCX , now in authorization phase
- Oracle , Oracle Service Cloud , now in authorization phase
CSPs In Process for a FedRAMP Authorization
FedRAMP currently has 18 Cloud Services in the JAB Provisional Authorization pipeline and 14 Cloud Services in process for an Agency Authorization. A full list of in-process CSPs can be found here.
Recently, the following cloud services initiated Agency ATOs and were added the FedRAMP website:
- Huddle , Huddle
- National Technical Information Service (NTIS) , Data Center and Hosting Services
- U.S. Department of Veterans Affairs , SDE EO Cloud
If you are and agency or CSP actively working on a FedRAMP authorization and your cloud service is not identified on the in-process list, please contact the FedRAMP PMO (info@FedRAMP.gov) so we can add the cloud service to the list.
Currently, 31 independent assessors have received a FedRAMP 3PAO accreditation through the FedRAMP PMO and the American Association for Laboratory Accreditation (A2LA). The official list of Accredited 3PAOs can be found here.
The 31 accredited FedRAMP 3PAOs listed on the FedRAMP website include 3 newly accredited 3PAOs:
- Creative Computing Solutions , September 30, 2014
- Ernst and Young , September 30, 2014
- Logyx , September 30, 2014
The Federal CIO Council’s Fedv6 Taskforce is hosting an IPv6 Cloud Tech Session on Tuesday, November 4, 2014 specifically for interaction with Cloud Service Providers.
The exhaustion of the global IPv4 address space has impacted the growth of Internet use, the innovation of new services, and the robustness of existing services. As a result, the role of the Fedv6 Taskforce is to assist and coordinate agency activities in response to OMB’s IPv6 policies and mandated objectives. As a governance organization it serves to identify and help resolve implementation hurdles, monitor and capture agency progress, and enable cross-agency collaboration efforts.
The Office of Management & Budget has requested all agencies to implement IPv6 to preserve business continuity and to support the successful deployment and expansion of key Federal information technology (IT) modernization initiatives, such as Cloud Computing, Broadband, and SmartGrid, which rely on robust, scalable Internet networks.
The Fedv6 Taskforce is hosting this event on November 4 geared specifically towards Cloud Service Providers so that these organizations can learn more about the importance of providing cloud services over IPv6 as business advantage and be provided with some immediate next steps for deploying IPv6 within the services being offered to the Federal government.
The meeting will take place at NASA HQ, 300 E Street, SW, Washington, DC 20546 from 2:30pm to 5pm in the Glennan Auditorium (room IO35).
Registration is required to participate in the FedRAMP IPv6 Tech Session. Please email Trey Kennedy (Trey_Kennedy@sra.com) with the following information:
- Company Name
- Name of Person (s) Attending
- Confirmation of US Citizenship
- Attendance Preference: In-person or Remote via WebEx
- Email addresses of all people attending the meeting
After registered, Mr. Kennedy will email a confirmation and a finalized agenda to all of the registered participants.