Agencies will have more options to buy secure cloud services under a major change detailed in the concept of operations for FedRAMP.
The Federal Risk and Authorization Management’s (FedRAMP) program management office (PMO) Tuesday issued version of the CONOPS, which says vendors may submit their cloud services for approval without first having to have a contract.
Under draft versions, the PMO would have required only agencies to submit the cloud services they wanted approved, leaving vendors in a tough position — how do they get a contract if they are not approved under FedRAMP, and how do they get approved if they don’t have a contract?
“They can go through the entire FedRAMP process, look at the process we laid out, follow all those instructions, create all those documents, provide all that evidence and submit that to FedRAMP and be put into the priority queue,” said Matt Goodrich, the program manager with the Federal Cloud Computing Initiative at the General Services Administration, Wednesday during an industry briefing of the CONOPS sponsored by TechAmerica in Washington. “If you haven’t been prioritized for review by the Joint Authorization Board (JAB), that doesn’t mean we don’t put your assessment package in the repository for agencies to see you have done that work so they can look at it and start to leverage it.”
The PMO, which is run by GSA, release of the CONOPS was the fourth document in two months on FedRAMP. The Office of Management and Budget issued a memo in December requiring agencies use the authorization and accreditation services. The PMO followed with the security controls and the third-party accreditation process.
The CONOPS, however, has been the most difficult to create and is one of the most significant pieces describing how FedRAMP will work.
“The CONOPs explains how do all of the agencies and all of the stakeholders interact and make the process efficient,” Goodrich said. “The security baseline was the technology part. The CONOPS has been the hardest part.”
The document details three main areas:
Security assessments, where third party assessors determine if the vendors meet the security controls. They submit their recommendations to the JAB, which is made up of the chief information officers from the departments of Defense and Homeland Security and GSA, who issue a provisional authority to operate. The buying agency must give the vendor the full authority to operate.
Leveraging authorization. This describes how the PMO will develop a repository of service provider approvals for agencies to use.
Ongoing assessment authorizations. This is the continuous monitoring of the cloud services to make sure vendors are meeting the security requirements.
“There will be a public repository which will be on FedRAMP.gov that will list basically the service providers that are authorized at each level and the public authorization letter, and any agencies that have leveraged that,” Goodrich said. “Then there will be a private repository that we will maintain at GSA where agencies can review those assessment packages and those documents.”
The CONOPS document also clarified the FedRAMP process around the treatment of private, public and hybrid clouds — they will all be treated the same.
CONOPS is key for initial capabilities
Kathy Conrad, the principal deputy associate administrator in the Office of Citizen Services and Innovative Technologies at GSA, said the CONOPS is a key component of what needs to be in place before agencies can use FedRAMP services.
Conrad said the PMO expects to have FedRAMP at its initial operating capability by June. She added the PMO is reviewing applications from vendors wanting to be third-party assessors and expects to name the contractors by early April.
Conrad declined to say how many applications, but did confirm the PMO received at least one from a federal agency.
After naming the third party accreditors, the PMO will release two other documents before June.
“There are two really large documents called the guide to understand FedRAMP, which is like an owner’s manual, and the continuous monitoring guide, where we are combining all that guidance from DHS and the requirements they have for U.S. CERT, Cyberscope and things like that,” Goodrich said. “The things we are really finalizing now are all the templates for cloud service providers.”
He said vendors will use the templates to describe their systems security plans, the security assessment report and other requirements.
The PMO also is developing templates around service level agreements and contracting clauses to make it easier for agencies to buy these cloud services.
Goodrich said the goal is to make sure the entire FedRAMP process is as transparent and as easy possible.
Conrad said industry has given the PMO positive and constructive feedback, and she expects that to continue as more documents come out.
“We have not come up with any barriers we have not been able to overcome,” she said. “We are working in a very collaborative fashion with both industry and the CIOs so as questions and concerns come up we are doing our best to address them in a timely manner.”
This story is part of Federal News Radio’s daily Cybersecurity Update. For more cybersecurity news, click here.