FedRAMP

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

The Federal Risk and Authorization Management Program (FedRAMP) is an assessment and authorization process which U.S. federal agencies have been directed by the Office of Management and Budget [1] to ensure security is in place when accessing cloud computing products and services. Under this program, authorized FedRAMP cloud service providers (CSP) can provide services for US government agencies.[2]

The OMB identified cybersecurity as one of 14 Cross-Agency Priority (CAP) Goals [3] established in accordance with the Government Performance and Results Modernization Act of 2010.

The second Chief Information Officer of the United States, Steven VanRoekel, issued a memorandum to the federal agency Chief Information Officers on December 8, 2011, defining how federal agencies should use FedRAMP. FedRAMP consists of a subset of NIST Special Publication 800-53 security controls specifically selected to provide protection in cloud environments. A subset has been defined for the FIPS 199 low categorization and the FIPS 199 moderate categorization. The FedRAMP program has also established a Joint Authorization Board (JAB) consisting of Chief Information Officers from DoD, DHS, and GSA.

Before the introduction of FedRAMP, individual federal agencies managed their own assessment methodologies following guidance loosely set by the Federal Information Security Management Act of 2002.[4]

Third Party Assessment Organizations[edit]

The Joint Authorization Board (JAB) is responsible for establishing accreditation standards. The Third Party Assessment Organizations (3PAO) perform the security assessments of cloud solutions. The JAB reviews authorization packages (that include the results from the 3PAO's assessments), and may grant provisional authorization (to operate). The federal agency consuming the service still has final responsibility for final authority to operate.[5] Participating vendors sell a variety of hosting services, Software as a Service packages, and several 3PAOs that provide assessment and security consulting services to other vendors.

FedRAMP Authorized Cloud Service Providers[edit]

FedRAMP Authorized Cloud Service Providers[6] , with available service offering detail, includes:

  • 18F cloud.gov [7]
  • 1901 Group
  • Accenture [8]
  • Adobe [9]
  • Accellion
  • Acquia Inc.
  • AINS
  • AirWatch
  • Akamai
  • Amazon (AWS) GovCloud [10]
  • Appian
  • Autonomic Resources a wholly owned subsidiary of CSRA LLC
  • Avue Technologies
  • BlackBerry
  • Blackmesh
  • BMC Software
  • Box Inc.
  • CGI Federal
  • Cisco Systems Inc.
  • Collab9
  • Complete Discovery Source
  • Compusearch Software Systems, Inc.
  • Cornerstone OnDemand
  • Cylance, Inc.
  • DataBank, Ltd. [11]
  • Datapipe Government Solutions, a Rackspace Company
  • Decision Lens Inc.
  • Deloitte [12]
  • DocuSign
  • Druva, Inc.
  • Esri
  • FireEye
  • General Dynamics Information Technology (GDIT)
  • GitHub [13]
  • Google
  • Granicus
  • Huddle US
  • IBM [14]
  • IdeaScale
  • Innovative Discovery
  • IT-CNP
  • Knight Point Systems
  • MicroFocus
  • MicroPact
  • Microsoft
  • MIS Sciences Corporation
  • mLINQS
  • Northrop Grumman
  • Okta
  • OMB
  • Oracle [15]
  • ORock Technologies, Inc.
  • PowerTrain Inc.
  • Project Hosts
  • Proofpoint, Inc.
  • QTS
  • Qualys
  • SAIC
  • Salesforce
  • SAP National Security Services Inc. (SAP NS2)
  • ServiceNow
  • Skillsoft
  • Skyhigh
  • Slack[16]
  • Socrata
  • Softlayer
  • SpringCM
  • Symantec Corporation
  • TalaTek, LLC [17]
  • TIBCO
  • VASCO
  • Verizon
  • Virtustream

See also[edit]

References[edit]

  1. ^ Burwell, Sylvia M (18 November 2013). "Enhancing the Security of Federal Information and Information Systems" (PDF). Office of Management and Budget. Archived from the original (pdf) on 4 March 2016. Retrieved 10 July 2017.
  2. ^ Alsinawi, Baan. "Accredited FedRAMP Advisory and Assessment Services". TalaTek, LLC. Retrieved 2018-11-12.
  3. ^ Driving Federal Performance, accessed 8 June 2016
  4. ^ DOD turns to FedRAMP and cloud brokering, 21 May 2014, accessed 18 June 2016
  5. ^ "About FedRAMP". U.S. General Services Administration. 13 June 2012. Retrieved 6 May 2015.
  6. ^ "FedRAMP Marketplace". 23 February 2018. Retrieved 23 February 2018.
  7. ^ "18F cloud.gov". 5 December 2018. Retrieved 5 December 2018.
  8. ^ "Accenture FedRAMP Services". 23 February 2018. Retrieved 23 February 2018.
  9. ^ "Adobe FedRAMP Services". 23 February 2018. Retrieved 23 February 2018.
  10. ^ "Amazon FedRAMP Services". 23 February 2018. Retrieved 23 February 2018.
  11. ^ "DataBank Completes FedRAMP Authorization and Recertification of FedRAMP-Compliant CloudPlus". 27 June 2018. Retrieved 27 June 2018.
  12. ^ "Deloitte FedRAMP Services". 23 February 2018. Retrieved 23 February 2018.
  13. ^ "GitHub is FedRAMP Authorized". 24 October 2018. Retrieved 25 October 2018.
  14. ^ "IBM FedRAMP Services". 23 February 2018. Retrieved 23 February 2018.
  15. ^ "Oracle FedRAMP Services". 23 February 2018. Retrieved 23 February 2018.
  16. ^ https://slack.com/security-practices
  17. ^ "TalaTek FedRAMP Services". 23 February 2018. Retrieved 23 February 2018.

External links[edit]