The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program to assess, monitor, and pre-authorize cloud-based products and services. Agencies often include in their solicitations a requirement for FedRAMP certification, and cloud service providers (CSPs) must obtain this certification before implementation of any services. FedRAMP uses Third Party Assessment Organizations (3PAOs) to perform initial and periodic cybersecurity assessments of CSPs, based on a baseline set of controls established by the National Institutes of Science and Technology (NIST).
The first question we typically field from clients seeking to go through the FedRAMP certification process is: "How long will this take?" As the number of contractors seeking certification has increased, the process has been getting slower, even as more 3PAOs have become available to conduct assessments.
The General Services Administration (GSA) has attempted to expedite the authorization process with a revamped "FedRAMP Ready" program. To be "FedRAMP Ready," a CSP must have an onsite assessment of its system by an accredited 3PAO to ensure that the system meets minimum quality and security standards. The onsite assessment will now be based on pre-identified, required FedRAMP Readiness Capabilities, and the results of the assessment will be documented in a FedRAMP Readiness Assessment Report.
The draft FedRAMP Readiness Assessment Report Template and a companion document, the FedRAMP Readiness Assessment Guidance has just been released for public comment. The full notice is available here: https://www.fedramp.gov/provide-public-comment/draft-readiness-capabilities/. The comment period ends on April 29, 2016.
Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Morrison & Foerster LLP. All rights reserved