Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
The FedRamp proposal version 0.96 provides additional requirements and guidance to the NIST SP800-53 controls.
FedRAMP requires the creation of a Joint Authorization Board (JAB) consisting of technical representatives from the US Govt, the sponsoring agency and the CSP. Next to that, the CSP must appoint designated FedRAMP personnel. The process of becoming a registered CSP is displayed below:
In the following example, NIST SP800-53r3 control CP-2 is enhanced with the requirement that the list of key contingency personnel contain designated FedRAMP personnel:
The decision to embrace cloud computing technology is a risk-based decision, not a technology-based decision. As such, this decision from a risk management perspective requires inputs from all stakeholders, including the CIO, CISO, Office of General Counsel (OGC), privacy official and the program owner. Once the business decision has been made to move towards a cloud computing environment, agencies must then determine the appropriate manner for their security assessments and authorizations.