Cloud service providers have until June to have their services accredited by the Federal Risk and Authorization Management Program (FedRAMP) if they want to do business with U.S. federal agencies. According to the program’s website, FedRAMP is a “government-wide, standardized approach to cloud security assessments, authorization, and continuous monitoring for cloud products and services.”
To be accredited, service providers must implement FedRAMP security requirements, have their cloud systems audited by a FedRAMP-approved assessor, and provide the assessments for review by the FedRAMP Joint Authorization Board. Each agency currently manages its own security risks and provides ongoing security assessments and authorizations for each IT system it uses, even if that system is being used by other agencies. FedRAMP will eliminate that redundancy by using a “do once, use many times” framework.
Maria Roat, FedRAMP director within the General Services Administration (GSA), advised providers and federal agencies at the Federal Cloud Computing Summit in mid-December to work directly with the FedRAMP office and to get the review process underway soon. Providers working directly with FedRAMP should expect the process to take four to five months to complete, while those going it alone can expect it to take six months, according to a January 6 article on Talkin’ Cloud.com.
FedRAMP is mandatory for all low- to medium-risk federal agency cloud deployments and service models; private deployments intended for single organizations and implemented fully within federal facilities are excluded.
Although the U.S. federal government’s “Cloud First” policy requires its agencies to use cloud services when possible to – according to the GSA website – increase capacity, flexibility, and responsiveness, as well as save money, organizations should be aware of the risks of moving to the cloud. These include service provider down times that prevent accessing information; potential security lapses; difficulty in physically locating information, implementing legal holds, or disposing of information when it has met its retention requirements; and violating other countries’ privacy restrictions for personal information about their citizens.
To learn more about these risks and how to mitigate them, consult ARMA International’s related resources, Guideline for Outsourcing Records Storage to the Cloud, Cloud Computing: Introducing the Vital Questions online course, and the free Hot Topic “Making the Jump to the Cloud? How to Manage Information Governance Challenges.”