Menu
X

Tags Archives: FedRAMP

IT-70 Prepares For a New Addition With the Creation of a Cyber Security SIN

Source: Winvale – GSA Schedule Blog

10 Important Facts About the New Health IT SIN

Source: Winvale – GSA Schedule Blog

Everything You Need to Know About the HCaTS Contract Vehicle

Source: Winvale – GSA Schedule Blog

3 Routes for CSPs to FedRAMP

CSPsThere are three routes commercial cloud service providers (CSPs) can take to be compliant with the government’s baseline cloud computing standards, known as the Federal Risk and Authorization Management Program (FedRAMP). Although these three routes lead to the same ultimate goal, they can differ in time to accreditation and also differ in cost.

Route to FedRAMP #1

The first route, and the most common for commercial cloud service providers, is gaining a provisional authority to operate or (ATO) from the FedRAMP Joint Authorization Board (JAB). This board is led by CIO’s at the General Sales Administration (GSA), the Department of Defense (DOD), and the Department of Homeland Security (DOS). In addition to an ATO, a FedRAMP-accredited third-party assessment organization (3PAO) is required to complete this process.

Route to FedRAMP #2

The second route comes as an alternate. Agencies can grant an ATO to a CSP, and other agencies can choose to take advantage of this authority and work with the company as well. 3PAOs also work with agency-issued ATOs and work with both parties to make sure security standards are met.

Route to FedRAMP #3

The third route and least common is the CSP Supplied route. In this route, a CSP can hire a FedRAMP-accredited 3PAO to complete all required documentation, testing and security assessments. Once all these procedures are complete, the information is sent to GSA’s FedRAMP office for verification. Very few companies have taken this route, due to high cost, but it is a good option for companies that cannot or do not want to take advantage of existing federal contracts and do not wish to partner with other CSP’s.

At the FedRAMP Industry Fair on June 4, 2014 the GSA released a table, which outlined the approximate time it took to become compliant with the government’s baseline cloud computing standards. This table broke out the three routes toward compliancy, under the categories JAB P-ATO’s (Joint Authorization Board) (provisional authority to operate), Agency ATO’s, and CSP Supplied. The timeframe can be found below:

  1. JAB P-ATO’s: 9+ Months
  2. Agency ATO’s: 4+ Months
  3. CSP Supplied: 6 Weeks

As you can see, the process to become cloud computing compliant becomes quicker, when more money and more energy is spent trying to achieve it. These three paths give options, and these options are for companies to choose. This enables you to ask yourself, what route will you take?

Can the Rain be Cleared from the Cloud?

cloud computingMany companies are designing new “cloud” offerings. However, each company has a different definition, which is leading to a lot of confusion and miscommunication. Before the cloud era moves forward, it is important to let the sun shine through and shed some light on the matter.

This is incredibly important for Federal IT executives, who are trying to improve service with a shrinking budget. The definition is trying to be cleared up with FedRAMP and other cloud regulatory clauses. Also, it’s not 100% guaranteed that moving to the cloud will lower cost. Therefore, another problem that will arise is once an organization moves to the cloud and the cost savings are not seen, how easy is it to get out of it? Dr. Paul Tibbits, Deputy CIO for Architecture, Strategy and Design at the VA, asked a similar question at the 1105 Media’s Enterprise Architecture Conference. Unisys’s Mark Cohn, answered it this way, “That’s an important question to ask, and if an agency doesn’t have that answer, it better be careful.”

The problem an agency will face if it does decide to move away from one cloud to another or to an on premise solution, is money and time. Migrating to the cloud takes time and migrating away will also take time. This is something executives need to consider, because if the cloud starts to rain, it could cost jobs. Khalid Kark, an analyst at Forrester Research, Inc., said “2013 is going to be a peak of investment in the cloud, and we’re going to see a huge maturation process in how the Federal government uses those investments.” If that is true, the way Federal agencies view the cloud is changing. They are starting to look to the cloud as friend and not foe. In my opinion, the true test will come when the first FedRAMP approved cloud provider is awarded. That being said, cloud vendors it’s off to the races with FedRAMP, and to the winner goes the spoils.

FedRAMP: The One Stop Approach

CloudGSA launched the Federal Risk and Authorization Management Program (FedRAMP) last month. The program is intended to provide a one stop approach to monitoring and enforcing security standards for all cloud products and services. As of June 2012, new cloud service providers (CSPs) will need to comply with the security criteria set forth by FedRAMP to sell to federal agencies. However, existing cloud service providers have until 2014 to undergo the security assessment and authorization process.

There are three major players in FedRAMP: the cloud service providers (CSPs), third-party assessment organizations (3PAOs), and the Joint Authorization Board (JAB). According to the Government Computer News, CSPs are required to “hire a FedRAMP-approved third-party assessment organization to perform an independent audit of the cloud system and provide a security assessment package for review by the FedRAMP Joint Authorization Board. The JAB may then grant the CSP a provisional authorization, which can be used by federal agencies for review when granting a CSP authority to operate.” It is important to note that GSA does not promote or endorse a certified 3PAO over another. However, it is the responsibility of CSPs to select and cover the cost of a 3PAO.

Though GSA experienced a few hurdles and frustrations while creating the program for agencies to follow, it has set a strong precedence for the future. It is estimated that the industry will produce several billions of dollars over the next five years. Thus, it’s no surprise that the cloud industry is quickly growing and becoming a lucrative business opportunity for vendors.

  • [contact-form-7 id="2459" title="Contact form 1"]
  • May 2021
    M T W T F S S
     12
    3456789
    10111213141516
    17181920212223
    24252627282930
    31  
  • Blog Categories
    Blog Calendar
    May 2021
    M T W T F S S
     12
    3456789
    10111213141516
    17181920212223
    24252627282930
    31  

    © Copyright 2017 GSA Schedule. GSASchedule.com