FedRAMP Program Aims to Simplify Government Cloud Purchases
The U.S. Office of Management and Budget, in conjunction with Federal CIO Steven VanRoekel, has issued a policy memo establishing the Federal Risk and Authorization Management Program (FedRAMP), designed to reduce the costly and inefficient overlap of federal agencies spending taxpayer dollars to find out about the cloud what other departments already know.
According to that memo, provided for public review on the office’s website, currently “[there] is little incentive to leverage existing Authorizations to Operate (ATOs) among agencies, with many preferring to perform their own ATOs when other agencies have approved the same cloud systems for secure use within their agencies.”
To address this, FedRAMP will provide a standardized route to cloud service auditing, so governmental agencies can adopt a given cloud solution that already has met a certain tried-and-true standard.
Here’s VanRoekel’s own list of benefits FedRAMP will provide, with a highlight by yours truly:
- Saves significant cost, time and resources – do once, use many times
- Improves real-time security visibility
- Supports risk-based security management
- Provides transparency between government and cloud service providers (CSPs)
- Improves trustworthiness, reliability, consistency, and quality of the federal security authorization process
FedRAMP has plenty of public sector supporters, with the Department of Defense, the Department of Homeland Security, the General Services Administration, the National Institute of Standards and Technology, and the Office of Management and Budget all standing behind the new standard.
I have to say that I’m impressed: Within four months, VanRoekel and his team have identified a major roadblock to federal cloud adoption and formed a coherent, logical plan to address it. Between this and his “Future First” investment roadmap, it looks as though VanRoekel is set on continuing what his predecessor accomplished.
Of course, any more praise is pending FedRAMP actually materializing as a standard that CSPs and government agencies can get behind. But it’s a strong first step, and I’m very much interested to hear more.