By Kathryn Daily, CISSP, CAP, RDRP
On December 8, 2021, the FedRAMP program turned 10 years old! Created in 2011, the goal for FedRAMP was to produce a cost-effective, repeatable solution for securing cloud services and
cloud service providers. I think we can safely say, mission accomplished. The CGI IAAS Platform was the first CSP to be authorized through the Joint Advisory Board in 2013. FedRAMP currently has 246 (As of Jan 10, 2022) vendors approved with many more on the way! FedRAMP launched the Marketplace which provides government agencies with a one-stop-shop for approved cloud solutions to fit their needs as well as provide a base level of assurance that the provider meets the requirements unique to the federal government. Prior to FedRAMP, each federal agency had to assess cloud services that they wanted to use as a part of their Assessment and Authorization activity.
With the advent of FedRAMP, the federal government adopted an assess once, use may times framework that reduced the cost and complexity for federal agencies using cloud services. FedRAMP has developed a template set for vendors to use to go through the FedRAMP approval process in an effort to streamline the documentation process, something that RMF could benefit from in my opinion. Additionally, FedRAMP has created an accreditation program for the 3PAOs (Third Party Assessment Organizations) to ensure that assessments are performed uniformly across the board.
It’s been so successful, that states have started to imitate what the federal government has accomplished with their own StateRAMP to accomplish the same mission as the federal government
but at the state level. While StateRAMP is still in its infancy, it shows great promise to bring the same benefits that the federal government has seen to state government. Let’s see what FedRAMP has in store for the next 10 years!