Yesterday, June 5, was the deadline set by the Office of Management and Budget for all federal agencies to use only FedRAMP authorized cloud service providers (“CSPs”) for systems at “low and moderate risk impact levels.” The government is poised to spend over $70 billion on IT in 2014, of which $1.7 billion are expected to be spent on cloud services. Any CSPs hoping to obtain federal contracts, or maintain their existing contracts, must obtain a FedRAMP authorization.
Beginning in 2011, the U.S. government instituted a “Cloud First” strategy. This initiative encouraged federal agencies to use cloud services where feasible. In light of this, FedRAMP was created to establish a baseline of security standards for cloud service providers that serve the federal government. These security standards were developed by the National Institute of Standards and Technology (“NIST”), which also defined three impact levels – low, moderate, and high – for which the various security controls and standards apply. All federal agencies are required to assess their data and data systems to determine the risk impact level and then ensure that their IT systems and those of their third party vendors, including CSPs, meet the required security standards for the relevant impact level.
FedRAMP is a program by which CSPs become authorized to serve all agencies of the federal government by implementing the relevant security controls, undergoing an independent assessment of that implementation by a FedRAMP accredited Third Party Assessment Organization, and then receiving approval from the government’s FedRAMP Joint Authorization Board. The authorization process generally takes between 4 and 6 months.
Following yesterday’s deadline, FedRAMP is expected to adopt a new set of baseline security controls for CSPs in the coming days.