The Federal Risk Authorization Management Program evaluates the security of Cloud Service Offerings, or CSOs, prior to their deployment in U.S. government organizations.
There is a high demand for cloud technologies within the Department of Defense, and it can be a challenge to efficiently put such a large volume of tools through the traditional FedRAMP approval process. In December, the DOD released a memo detailing the specific requirements that must be met when using a third party organization to assess a CSO. The document was signed by David McKeown, deputy chief information officer for cybersecurity and senior information security officer for the DOD.
McKeown, a 2023 Wash100 Award winner, will keynote the Potomac Officers Clubâs 2024 Cyber Summit on June 6. The event will bring together public and private sector experts to consider the current cybersecurity landscape. McKeown spoke at last yearâs Cyber Summit, during which he discussed DOD quantum efforts.
To learn more and register to attend the 2024 Cyber Summit, click here.
Through the memo, the department aims to standardize an approval process that would be equivalent to FedRAMP Moderate authorization. McKeown said during Meritalkâs Accelerate AI forum in January that the goal of the document is to âgive credit to the companies that are trying to leverage a cloud thatâs not yet FedRAMP certifiedâ by enabling them to use a third party authorization process.
The DOD has historically evaluated contractor compliance through the Defense Federal Acquisition Regulation Supplement, but McKeown said the DOD has previously glossed over the need to âachieve FedRAMP Moderate for all the cybersecurity controls on the face of the earth.â
âWe wanted to clarify that if you have a [third-party assessment organization] come in and assess that cloud environment, any of the 110 controls they say you satisfy, we will give you credit for that. If there are some that you do not satisfy, then youâre going to have to work out a customer responsibility matrix where the customer handles the remaining delta,â he explained.
The memo states that âCSOs must achieve 100 percent compliance with the latest FedRAMP moderate security control baselineâ in any third party assessment to meet the equivalent standard.
Under the new guidelines, the Defense Contract Management Agencyâs Defense Industrial Base Cybersecurity Assessment Center will appraise cloud service providersâ bodies of evidence that show FedRAMP Moderate equivalency.
Supporting documentation must include a system security plan, a security assessment plan, a security assessment report conducted by a FedRAMP-recognized Third Party Assessment Organization and a plan of action milestones.
The memo also makes cloud service providers responsible for developing an incident response plan and reporting any breaches that occur.
Don’t miss out on the opportunity to hear McKeown speak at the 2024 Cyber Summit! Click here to secure your spot.
