The Federal Risk Authorization Management Program evaluates the security of Cloud Service Offerings, or CSOs, prior to their deployment in U.S. government organizations.
There is a high demand for cloud technologies within the Department of Defense, and it can be a challenge to efficiently put such a large volume of tools through the traditional FedRAMP approval process. In December, the DOD released a memo detailing the specific requirements that must be met when using a third party organization to assess a CSO. The document was signed by David McKeown, deputy chief information officer for cybersecurity and senior information security officer for the DOD.
McKeown, a 2023 Wash100 Award winner, will keynote the Potomac Officers Club’s 2024 Cyber Summit on June 6. The event will bring together public and private sector experts to consider the current cybersecurity landscape. McKeown spoke at last year’s Cyber Summit, during which he discussed DOD quantum efforts.
Through the memo, the department aims to standardize an approval process that would be equivalent to FedRAMP Moderate authorization. McKeown said during Meritalk’s Accelerate AI forum in January that the goal of the document is to “give credit to the companies that are trying to leverage a cloud that’s not yet FedRAMP certified” by enabling them to use a third party authorization process.
The DOD has historically evaluated contractor compliance through the Defense Federal Acquisition Regulation Supplement, but McKeown said the DOD has previously glossed over the need to “achieve FedRAMP Moderate for all the cybersecurity controls on the face of the earth.”
“We wanted to clarify that if you have a [third-party assessment organization] come in and assess that cloud environment, any of the 110 controls they say you satisfy, we will give you credit for that. If there are some that you do not satisfy, then you’re going to have to work out a customer responsibility matrix where the customer handles the remaining delta,” he explained.
The memo states that “CSOs must achieve 100 percent compliance with the latest FedRAMP moderate security control baseline” in any third party assessment to meet the equivalent standard.
Under the new guidelines, the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center will appraise cloud service providers’ bodies of evidence that show FedRAMP Moderate equivalency.
Supporting documentation must include a system security plan, a security assessment plan, a security assessment report conducted by a FedRAMP-recognized Third Party Assessment Organization and a plan of action milestones.
The memo also makes cloud service providers responsible for developing an incident response plan and reporting any breaches that occur.
Don’t miss out on the opportunity to hear McKeown speak at the 2024 Cyber Summit! Click here to secure your spot.