The General Services Administration provided more details on Tuesday about a new mandatory security assessment program for federal cloud providers.
A 47-page concept of operations document about the Federal Risk and Authorization Management Program (FedRAMP) managed by GSA, details how agencies and cloud vendors can initiate the FedRAMP process, how the program will work and what is required of all parties involved in the process.
One thing vendors should expect are new service level agreements that hold them legally responsible for meeting and maintaining FedRAMP requirements, according to the document.
But GSA doesn’t clearly define what services will be available through FedRAMP when “initial operational capabilities” are launched in June. For example, here’s a description of what’s to come this fiscal year: “Launch IOC (initial operational capabilities) with limited scope and cloud service provider” and “authorize” cloud service providers. What does “limited scope” mean?
I also am curious to know how many companies have applied to become third party assessment organizations, or 3PAOs. These companies, if approved by a federal review board, will provide an independent assessment of vendors’ cloud systems and services under FedRAMP.
GSA wouldn’t say how many companies have applied to become 3PAOs let alone who they are, but GSA described the number of applicants as “a very healthy number.” GSA said it won’t complete the review process for 3PAOs until mid-April.