One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 2005271 |
| Date de publication | 2020-10-30 18:33:00 (vue: 2020-10-30 21:05:47) |
| Titre | What is FedRAMP? Compliance and certification explained |
| Texte | This blog was written by a third party author The Federal Risk and Authorization Management Program (FedRAMP) is a compliance program established by the US government that sets a baseline for cloud products and services regarding their approach to authorization, security assessment, and continuous monitoring. The program’s governing bodies include the Office of Management and Budget (OMB), US Department of Homeland Security (DHS), National Institutes of Standards & Technology (NIST), US General Services Administration (GSA), US Department of Defense (DoD), and the Federal Chief Information Officers (CIO) Council. Any cloud service providers that wish to offer products and services to the US government must establish FedRAMP compliance. Applying the NIST Special Publication 800 series as a baseline, FedRAMP requires cloud service providers to undergo an independent security assessment conducted by a third-party assessment organization (3PAO) to ensure authorizations comply with the Federal Information Security Management Act (FISMA). Note: The foundations of FedRAMP involve a significant number of acronyms, and as much as we tried to keep them to a minimum, they’re an essential part of the story. FedRAMP was established to: Ensure that cloud systems used by government agencies have adequate safeguards in place Eliminate duplication efforts and reduce risk management costs Enable cost-effective and rapid government procurement of cloud services The goals for FedRAMP (according to FedRAMP.gov) are: Advancing the adoption of secure cloud solutions through reuse of assessments and authorizations Improving confidence in the security of cloud solutions and security assessments Achieving consistency of security authorizations with a set of agreed-upon standards for cloud product approval, in or outside of the program Ensuring consistency in the application of existing security practices Increasing automation and near real-time data for continuous monitoring Requirements for FedRAMP certification One of the most critical factors for successful government adoption of cloud computing is verifying that essential security controls are executed on any cloud solution that stores, processes, and transmits government data. With FedRAMP, cloud systems must also meet the security levels and needs for protecting government data as verified by 3PAO audit. The FedRAMP requirements apply to cloud service providers (CSP) and cloud service offerings (CSO). Depending on the application, the two acronyms (CSPs and CSOs) are used interchangeably. Other important FedRAMP acronyms include the authority to operate (ATO) and the FedRAMP Program Management Office (PMO). Reviewing the mandates for CSPs CSPs must prove that they meet FedRAMP compliance requirements before a federal agency can use them. The authorization mechanism is called the FedRAMP Authority to Operate (ATO). How the cloud service provider is authorized can be a significant decision for any CSP planning to offer products and services to federal agencies. There are two methods for obtaining a FedRAMP Authorization to Operate (ATO): directly from a government agency or the Joint Authorization Board (JAB). The latter authorization is known as FedRAMP Provisional Authorization to Operate (P-ATO). Achieving a P-ATO is a more stringent process that is only available after a CSP has achieved several individual Agency ATOs. It requires assessment and approval by the by the Joint Authorization Board (JAB) comprised of the Department of Homeland Security (DHS), Department of Defense (DoD) and the General Services Administration (GSA). CSPs must achieve the following high-level requirements for FedRAMP certification, authorization, and compliance by the |
| Envoyé | Oui |
| Condensat | 3pao 800 about according achieve achieved achieving acronyms act actually adequate administration adoption advanced advancing after agencies agency agreed all also amazon any application applications apply applying approach approval approved are are: article assessment assessments ato atos audit author authority authorization authorizations authorized automation availability available based baseline basics been before blog board bodies bought budget built called can certification certification chief cia cio cloud committed completed compliance compliant comply comprised computing conducted confidence confidentiality considering consistency continuous contract contractors control controls cost costs council covered critical crucial cso csos csp csps data decision defense demonstrate department depending described detail dhs directly documents dod duplication effective efforts either eliminate enable ensure ensuring especially essential establish established etc every executed existing explained fact factors faq federal fedramp finally fisma follow: following foundations from fully functional general generally goals gov governing government granted great gsa has have here high homeland how iaas impact imperative important improving include includes incorporating increasing independent individual information infrastructure institutes integrity interchangeably involve it’s its jab joint keep known language latter leadership level levels like list lockheed lot make management mandates martin matter mechanism meet meets methods minimum moderate monitoring more most much must national near need needs nist note: number obtaining offer offerings office officers omb one only operate organization organizations other outside paas package packages part party place planning platform pmo pmo: possess possible posted practices principles process processes procurement product products program program’s protecting prove provider providers provisional publication rapid raytheon real realizes reduce regarding repository require required requirement requirements requires reuse rev reviewing risk saas safeguards secure security series seriously service services set sets several significant site software solution solutions special specific specifically specifics standards steps stores story stringent successful sure system systems team technology templates them themselves they’re third those through time to: towards transmits triad tried two types undergo understands upon use used vendors verified verifying web well what will wish wishing work working would written you’re your |
| Tags | Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.