Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Building the Hybrid Cloud
- Connected Government: How to Build and Procure Network Services for the Future
- Continuing Diagnostics and Mitigation: Discussion of Progress and Next Steps
- Federal Executive Forum
- Federal Tech Talk
- The Future of Government Data Centers
- The Future of IT: How CIOs Can Enable the Service-Oriented Enterprise
- The Intersection: Where Technology Meets Transformation
- Maximizing ROI Through Data Center Consolidation
- Modern Mission Critical Series
- Moving to the Cloud. What's the best approach for me
- Navigating Tough Choices in Government Cloud Computing
- The New Generation of Database
- Satellite Communications: Acquiring SATCOM in Tight Times
- Targeting Advanced Threats: Proven Methods from Detection through Remediation
- Transformative Technology: Desktop Virtualization in Government
- The Truth About IT Opex and Software Defined Networking
- Value of Health IT
- Air Traffic Management Transformation Report
- Cloud First Report
- General Dynamics IT Enterprise Center
- Gov Cloud Minute
- Government in Technology Series
- Homeland Security Cybersecurity Market Report
- National Cybersecurity Awareness Month
- Technology Insights
- The Cyber Security Report
- The Next Generation Cyber Security Experts
Shows & Panels
FedRAMP cloud security memo makes it past OMB director's review
Tuesday - 11/29/2011, 7:32pm EST
Multiple sources have confirmed Lew approved the documents before Thanksgiving. Sources say OMB will issue both the memo and guidance as early as next week. The sources requested anonymity because they didn't get approval to speak about the memo.
OMB declined to comment on whether or not Lew had reviewed materials.
But spokeswoman Moira Mack said, "The administration is in the process of finalizing the Federal Risk and Authorization Management Program and we anticipate it will be completed and released before the end of the calendar year."
The memo and guidance, however, are just the first step in a much longer process. OMB, the departments of Defense and Homeland Security and the General Services Administration must have the initial operating capability up and running within 60 days. But full operating capability, which means agencies can ask vendors to submit their cloud services for approval, will not be in place for a year.
OMB has been promising to finalize FedRAMP for almost a year, but found it more challenging to get sign-off on the security requirements from DoD, DHS and GSA.
Dave McClure, GSA's associate administrator in the Office of Citizen Services and Innovative Technologies, said today at a cloud computing event FedRAMP was "imminent," but didn't give an exact day it would be made public.
"We are taking a measured and careful approach to how we roll out FedRAMP," McClure said at the conference in Washington sponsored by 1105 Government Information Group. "We want to be confident the operations process we set up works. We tried to bring a lot of different people into the conversation."
McClure added he expects there to be kinks that need to be worked out over time, but the policy and standards address the need to build trust and consistency in the process to secure cloud computing.
At last month's Information Security and Privacy Advisory Board meeting, McClure said a flood of documents would follow the memo and guidance release.
He said the Joint Advisory Board (JAB), made up of DHS, DoD and GSA, will issue the concept of operations, security controls, including continuous monitoring requirements, the notice for independent companies to become third-party accreditors of cloud services, the conformity assessment model and continuous monitoring controls.
McClure said FedRAMP will be rolled out in phases. Under the initial operating capability, FedRAMP's JAB and the program management office will focus on getting enterprisewide services that every agency can use, such as email, through the process.
In time, OMB will make FedRAMP mandatory. Federal CIO Steven VanRoekel said last month in a speech in California that once the cloud security standards process is in full swing, agencies must purchase only those services that have been approved by the JAB.