by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : May 15, 2014
The Federal Risk and Authorization Management Program provides a stan- dardized approach to security assess- ments, authorizations and continuous monitoring for cloud products and services. It is meant to replace the cur- rent process by which agencies assess low- and moderate-baseline third-party cloud service providers (CSPs) prior to procurement. Before FedRAMP, individ- ual agencies managed their own assess- ment methodologies following guidance loosely set by the Federal Information Security Management Act. FedRAMP has overhauled the cloud procurement process for civilian agen- cies, and it is changing how the Defense Department assesses the security of its cloud services prior to procurement. The department has long relied on the DOD Information Assurance Cer- tification and Accreditation Process (DIACAP) to assess the risk posture of systems prior to authorizing them for use. In June 2012, DOD CIO Teri Takai released a memo designating the Defense Information Systems Agency as the department’s enterprise cloud service broker (ECSB), and said DISA would manage the use, performance and delivery of cloud services, negoti- ating relationships between cloud pro- viders and DOD agency cloud consum- ers. The memo also states that DISA would use commercial cloud services that meet FedRAMP requirements. FedRAMP uses the National Institute of Standards and Technology’s Special Publication (SP) 800-53, among others, to establish common cloud computing baselines. To transition DIACAP to a risk management framework in align- ment with the NIST standards, DOD cre- ated an interagency working group that included members from DOD, NIST, the Office of the Director of National Intel- ligence and the Committee on National Security Systems. CNSS has the author- ity to issue binding guidance for national security systems and did so in the form of CNSS Instruction No. 1253, “Security Categorization and Control Selection for National Security Systems.” For cloud providers, DISA has imple- mented a pilot program of the ECSB’s Cloud Security Model that leverages the FedRAMP authorization process to assess cloud services for use at DOD. CSPs that do not go through the ECSB security assessment process must Civilian agencies’ approach to cloud security is now a key part of the Pentagon’s process DOD turns to FedRAMP and cloud brokering BY CHRISTINA McGHEE May 15, 2014 FCW.COM 31 DrillDown A FedRAMP timeline December 2011 FedRAMP is offi- cially unveiled by federal CIO Steven VanRoekel. June 2012 GSA opens the FedRAMP certifica- tion process. December 2012 First FedRAMP authority to operate is granted. March 2014 Takai memo states that DOD has shift- ed from DIACAP to NIST’s risk-based security approach for all IT endeavors. June 2014 OMB’s stated dead- line for cloud services to meet FedRAMP requirements.
April 30, 2014
May 30, 2014