Shows & Panels
Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- American Readiness: Renewable Power and Efficiency Technologies
- Ask the CIO
- Building the Hybrid Cloud
- Connected Government: How to Build and Procure Network Services for the Future
- Continuing Diagnostics and Mitigation: Discussion of Progress and Next Steps
- Federal Executive Forum
- Federal News Radio's National Cyber Security Awareness Month Special Panel Discussion
- Federal Tech Talk
- The Future of Government Data Centers
- The Future of IT: How CIOs Can Enable the Service-Oriented Enterprise
- Government Perspectives on Mobility and the Cloud
- The Intersection: Where Technology Meets Transformation
- Maximizing ROI Through Data Center Consolidation
- Mitigating Insider Threats in Virtual & Cloud Environments
- Modern Mission Critical Series
- The New Generation of Database
- Reimagining the Next Generation of Government
- Targeting Advanced Threats: Proven Methods from Detection through Remediation
- Transformative Technology: Desktop Virtualization in Government
- The Truth About IT Opex and Software Defined Networking
- Air Traffic Management Transformation Report
- Cloud First Report
- General Dynamics IT Enterprise Center
- Gov Cloud Minute
- Government in Technology Series
- Homeland Security Cybersecurity Market Report
- National Cybersecurity Awareness Month
- Technology Insights
- The Cyber Security Report
- The Next Generation Cyber Security Experts
Shows & Panels
FedRAMP names organizations to review vendors' cloud cybersecurity
Wednesday - 5/16/2012, 5:22am EDT
The General Services Administration named nine organizations, including one federal agency, to provide third-party assessments of cloud services under the Federal Risk and Authorization Management Program (FedRAMP).
The third-party assessment organization (3PAO) will validate and attest to the quality and compliance of the cloud service provider's security package, according to the FedRAMP Concept of Operations issued in February.
The 3PAOs are:
- COACT, Inc.
- Department of Transportation's Enterprise Service Center
- Dynamics Research Corporation
- J.D. Biggs and Associates, Inc.
- Knowledge Consulting Group, Inc.
- Logyx LLC
- Lunarline, Inc.
- SRA International Inc.
- Veris Group, LLC
The 3PAOs will have a harder time offering cloud services to the government. GSA issued conflict of interest rules in December.
Dave McClure, associate administrator, Citizen Services and Innovative Technologies, GSA
"It will be a very strong test that we have to see a clear firewall between those capabilities," said Dave McClure, GSA's associate administrator in the Office of Citizen Services and Innovative Technologies, in an interview with Federal News Radio in December. "The key is we are relying on a specific ISO standard that is a clearer bar an organization must conform to, to demonstrate that separation in functionality. It's not just an arbitrary, 'Tell us how you are doing it.'"
All vendors who want to provide cloud services to the government must first submit documents detailing how they meet FedRAMP's 168 security controls to these third-party assessment organizations.
The 3PAOs will review the documents and submit their recommendation to the Joint Authorization Board (JAB), which is made up of the chief information officers from GSA and the departments of Defense and Homeland Security. After reviewing the 3PAO analysis, the JAB decides whether to grant the company an initial authority to operate. The final authority to operate must come from the agency, which is buying the cloud services.
"Under FedRAMP, cloud service provider authorization packages must include an assessment by an accredited 3PAO to ensure a consistent assessment process," said FedRAMP's 3PAO program description document. "Accredited 3PAOs perform initial and periodic assessment of CSP systems per FedRAMP requirements, provide evidence of compliance and play an on-going role in ensuring that CSPs meet requirements."
Along with the list of vendors, GSA issued advice on how to select a third-party assessment organization (3PAOs).
"The decision regarding which 3PAO to use is entirely up to the CSP," GSA wrote on its website. "FedRAMP does not make introductions between the CSPs and 3PAOs and does not endorse any one 3PAO over another. It is up to the CSP to manage and facilitate their own relationship with the 3PAO."