by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : May 15, 2016
18 May 15, 2016 FCW.COM FedRAMP Resource constraints have been part of the problem: JAB is staffed by the CIOs from GSA and the departments of Defense and Home- land Security, and until this year, those agencies had no dedicated funding for FedRAMP efforts. What GSA found during discussions with more than 85 stakeholder groups, however, is that the documenta- tion-driven process is the primary culprit. On the government side, Goodrich said, the FedRAMP team was looking at documentation “to try and understand a CSP’s system” and then using that to identify any gaps and instruct the CSP on chang- es required to provide the needed cloud capabilities. For the CSPs, however, “you know what the capabilities are,” Goodrich said. Providers look at their systems, identify what they need to do to meet federal require- ments, implement those changes “and then you document.” The new path to approval The new approach is all about put- ting the FedRAMP PMO on the same path that CSPs are using. “We want to understand capabilities upfront, too,” Goodrich said. The old approach’s emphasis on documentation of “notional systems” often accounted for 70 percent to 80 percent of the total review process, he added. “That’s a lot of time to be looking at paper and to not be looking at a system.” Central to the new process is the FedRAMP Readiness Assessment Report — an upfront gap assessment of a cloud service’s security that Goodrich said most successful FedRAMP candidates already conduct over a span of a few weeks. CSPs that want to work with JAB will now need a third-party assessment organization, or 3PAO, to conduct that readiness assessment before diving into detailed documentation. If the 3PAO gives the cloud service passing marks and the PMO agrees, that provider would be declared FedRAMP Ready. The FedRAMP Ready designation was originally adopted in 2014 because GSA “wanted differentiators to show which vendors were serious about working with the federal government,” Goodrich said. The new front-end assessment, however, will make that label “really mean something,” he added, and give agencies confidence that the service would be approved for use in relatively short order. A FedRAMP-ready CSP would be required to complete a full FedRAMP Security Assessment before moving on to JAB for approval. That, too, is a change from the current approach, which often involves multiple rounds FEB 2010 FedRAMP concept announced DEC 2010 Federal Cloud Computing Strategy published DEC 2011 FedRAMP policy signed MAY 2012 First third-party assessment organizations accredited JUN 2012 FedRAMP launches DEC 2012 First provisional cloud security authorization issued by FedRAMP Joint Authorization Board MAY 2013 Department of Health and Human Services grants first agency provisional authority to operate JUN 2014 Official deadline for agency FedRAMP compliance DEC 2014 FedRAMP Forward roadmap released JAN 2015 Defense Department announces cloud security requirements that build on FedRAMP FEB 2015 First CSP Supplied accreditation announced MAR 2016 Revised process for JAB approval released MAY 2016 CSP Supplied packages no longer accepted; guidelines on prioritization of JAB reviews expected FedRAMP Timeline “We will never trade rigor for speed, [but] we do want to see how fast we can make this happen.” — MATT GOODRICH, GSA ZAIDHAMID 0515fcw_016-020.indd 18 4/20/16 1:29 PM
April 30, 2016
May 30, 2016