Federal Chief Information Officer Steven VanRoekel is expected to make an announcement on Thursday detailing the administration’s long-awaited Federal Risk and Authorization Management Program (Fedramp).
VanRoekel will be joined by Dave McClure of the General Services Administration, Department of Homeland Security CIO Richard Spires and Charles Romine of the National Institute of Standards and Technology, the Office of Management and Budget said in a news release. They will provide an update about efforts to reform federal information technology and details about how Fedramp will allow the government to more easily purchase and use cloud technologies.
The goal of Fedramp is to help agencies overcome their security concerns with cloud computing. A joint authorization board, whose members include CIOs at DHS, GSA and the Defense Department, are responsible for authorizing the use of vendors’ cloud computing systems at federal agencies. The board is tasked with making final decisions about Fedramp security controls, policies, and procedures used to determine the security level of cloud computing products.
Rather than seeking certifications from multiple agencies, Fedramp-certified vendors will only have to meet standard security requirements once that qualify them to do business with multiple agencies.
Fedramp launched in 2009 and was expected to be implemented in late 2010, according to a September report by the Government Accountability Office. But GSA and OMB said the range of stakeholders involved slowed down the process.
The report also includes program goals:
– Develop a cloud computing security requirements baseline that is used across the federal government.
-Develop and implement processes for joint security assessment, authorizations, and continuous monitoring of cloud computing services.
– Promote consistent interpretation of cloud service provider authorization packages through a standard set of processes and evaluation criteria.
– Improve consistency and efficiency of continuous monitoring of cloud computing systems and foster cross-agency knowledge sharing and communication of best practices.
– Obtain interagency vetting and buy-in of the approach to security assessment, authorizations, and continuous monitoring of cloud computing services.