Back in 2010, the Whitehouse stepped in and introduced a new policy around IT reform putting parameters around emerging CSPs, specifically the ones that wanted to do business with a Federal Agency or the Federal Government. In the simplest terms, it provides a standardized way of vetting cloud providers. From the security assessment, authorization and continuous monitoring, it’s an intense audit all around.
Here are Five Fast Facts around FedRAMP:
- In December 2010, the White House published the “25 Point Implementation Plan to Reform Federal IT”. In 2012, the Federal Risk and Authorization Program (FedRAMP) was introduced to provide a standardized process for assessing and authorizing cloud service providers that are used by federal government agencies
- FedRAMP is the result of close collaboration with cybersecurity and cloud experts from the General Services Administration (GSA), National Institute of Standards and Technology (NIST), Department of Homeland Security (DHS), Department of Defense (DOD), National Security Agency (NSA), Office of Management and Budget (OMB), the Federal Chief Information Officer (CIO) Council and its working groups, as well as private industry.
- Under the “Cloud First Mandate of 2010”, agencies have saved about $40 million - that number is likely higher since the full impact has not been fully reconciled. The U.S. Federal government alone spends more than $80 billion each year on IT.
- Vendors can inherit up toabout a third of the total FedRAMP baseline of security. Government and enterprise agencies can layer on agency-specific controls in addition to those certified by FedRAMP
- Over the next two years, FedRAMP Forward’s goals are to continue the success of the program through the PMO, engaging more directly with stakeholders to improve understanding of FedRAMP to ensure benefits of the program are fully realized