The FedRAMP PMO will host a 3PAO training session at the General Services Administration National Capital Region (NCR)
Building Auditorium (301 7th Street, SW; Washington, DC) on September 17, 2014 from 9:30am , 12:00pm.
This will be the first in a series of regular, periodic sessions hosted by the FedRAMP PMO for accredited 3PAOs.
The September 17th 3PAO training session will include the following topics:
- 3PAO required documentation and review process for authorizations
- Specifics regarding FedRAMP JAB ISSO reviews
- Details around sufficiency of evidence within the SAR
- Ensuring quality control and accuracy of reporting
- Review of general questions around 3PAO work asked over the past year
In addition, the FedRAMP PMO will be participating in many upcoming events including:
- September 16, 2014 , ACT-IAC Shared Services Forum
- September 18, 2014 , DGI 2014 Cloud Conference
- September 23 & 24, 2014 , Cloud Tech & Government IT Summit
- October 28, 2014 , Tech Council of Maryland: Cyber Security Financial Forum
All documentation is current and there have been no new releases of our public templates.
Public Comment Requests
On August 20, 2014, the FedRAMP PMO released four documents for public release with comments due on September 19, 2014:
- FedRAMP’s Approach to Continuous Monitoring
- This is the first in a series of public comment requests to transition the FedRAMP continuous monitoring program to a more risk-based framework.
- FedRAMP Continuous Monitoring Executive Summary and Plan of Action and Milestones (POA&M) Templates
- In an effort to make continuous monitoring requirements and reporting consistent for CSPs across all types of security packages (JAB, Agency, CSP supplied), these two templates will become mandatory documents for all packages.
- Updated Test Cases for Incident Response and Vulnerability Scanning.
- These test cases are being updated to more appropriately reflect the intent of the control and to ensure that a CSP has necessary capabilities and working processes to achieve the goals of these controls.
There is no specific format requested for comments on these documents. Please provide feedback and comments to email@example.com by September 19, 2014.
CSPs with a FedRAMP Authorization
At this time, 12 cloud services obtained a FedRAMP JAB Provisional Authorization and 5 cloud services obtained a FedRAMP Agency Authorization. The official list of compliant cloud services can be found here. If you are an agency that has worked with a CSP to complete a FedRAMP compliant security package and it is not listed on this page, please contact the FedRAMP PMO (firstname.lastname@example.org) so the necessary documentation can be filed. This will allow other agencies to re-use the security assessment documentation in support of the “do once, use many times” approach to federal cybersecurity that FedRAMP enables.
If you are an agency looking to re-use an authorization package, please complete the package request form. Once you accept the risks and issue an Agency ATO based on the FedRAMP documentation package, please send the FedRAMP PMO (email@example.com) a copy of your ATO letter so we promote re-use and assist with FedRAMP Agency compliance.
Below are CSPs who have recently completed their annual security testing and currently have their Security Assessment Report (SAR) under review:
CSPs In Process for a FedRAMP Authorization
AT&T Government Cloud kicked off with the FedRAMP PMO on September 3, 2014 and is now in the process of attaining a JAB Provisional Authorization. Overall, FedRAMP currently has 19 Cloud Services in the JAB Provisional Authorization pipeline, and 15 Cloud Services in process for an Agency Authorization. A full list of in-process CSPs can be found here.
Additionally, the page contains a listing of CSPs that demonstrated readiness to begin the FedRAMP authorization process and are waiting on a kickoff with either Federal agencies or the FedRAMP JAB. The list includes the following CSPs:
- Pegasystems Inc.
- Project Hosts
- Softlayer Technologies, Inc.
If you are are an agency ready to kick off the authorization process with one of these CSPs, please let the FedRAMP PMO know. Additionally, if you are CSP actively working on a FedRAMP Agency authorization, and your cloud service is not identified on the in-process list, please contact the FedRAMP PMO (info@FedRAMP.gov) so we can add the cloud service to the list.
Department of Homeland Security TIC Initiative
Over the past several months, the FedRAMP PMO has been collaborating closely with the DHS TIC Initiative to better align the requirements and agency implementations of these two critical Federal cybersecurity initiatives.
The purpose of the TIC Initiative is to optimize and standardize the security of individual external network connections currently in use by federal agencies, including connections to the Internet. The initiative improves the federal government’s security posture and incident response capability through the reduction and consolidation of external connections, and provides enhanced monitoring and situational awareness of external network connections.
The FedRAMP PMO is working with DHS to better align the Administration’s Cloud First policy and TIC’s goal of consolidating external connections. DHS FNR and FedRAMP are working to develop guidance for departments and agencies deploying data and applications to cloud service providers. The goal is to provide recommendations for ensuring TIC compliance for cloud deployments and aligning TIC-specific requirements with FedRAMP through the 800-53 baseline security controls. This guidance will align how departments and agencies implement TIC critical capabilities with a security assessment under the FedRAMP framework as a cloud deployment is developed. The work and guidance provided by TIC and FedRAMP will not change how Departments and agencies are currently being assessed against the TIC Reference Architecture v2.0.
For more information on the TIC Initiative, you can contact Sara Mosley, the TIC Program Manager at firstname.lastname@example.org.