NIH | National Cancer Institute | NCI Wiki  

Error rendering macro 'rw-search'

null

Versions Compared

Old Version 5

changes.mady.by.user Hayn, Craig (NIH/NCI) [E]

Saved on

compared with

New Version 6

changes.mady.by.user Unknown User (scotterr)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

As of June of 2014, all federal organizations are restricted to using Cloud Service Providers (CSP) that have been FedRAMP authorized, or that are in the process of obtaining their FedRAMP authorization to operate. Visit the  GSA's FedRAMP site for , the FedRAMP Marketplace, for more information and for to see a listing of currently approved and list of ready, in-process, and authorized CSPs.

According to NIST's Special Publication 800-145, The NIST Definition of Cloud Computing, Cloud based systems are typically leased infrastructure and use one or more of the following service models: Platform Infrastructure as a Service (PaaSIaaS); Software , Platform as a Service (SaaS); or Infrastructure PaaS), or Software as a Service (IaaSSaaS).  System owners who use a CSP should understand the compliance requirements for such environments because they do vary some from traditional infrastructure solutions. Federal agencies that use cloud services fall under the auspices of both the Federal Risk Authorization Management Program (FedRAMP) program, which is managed by the GSA, and by NIST's 800-37 Risk Management Framework, which outlines how traditional FISMA assessments are conducted. When choosing a cloud service provider you should first ensure that the provider has a FedRAMP issued or recognized Authorization to Operate (ATO). Please visit GSA's list of authorized CSPs to CSPs to find the current list of FedRAMP authorized CSPs.

FedRAMP is the FISMA based authorization process that cloud service providers must follow before government government agencies may use their cloud service offering (CSO). Once a CSP has its FedRAMP authorization, Federal agencies may use them but are still subject to internal agency review and endorsement of the FedRAMP authorization. The agency authorization includes a review of the FedRAMP package, but also requires agencies to implement and assess non-fully managed controls. Agencies are asked to submit their own authorization leveraging the FedRAMP authorization acknowledging that they are approving the use of the CSO by their agency and attesting that they will separately implement, assess, and maintain the agency or customer managed controls not covered by the CSP. Agency endorsements or ATOs are posted on the FedRAMP Marketplace so that other agencies can determine who else uses the CSO and avoid duplicating effort by their agency. 

...