 |
Page History
As of June of 2014, all federal organizations are restricted to using Cloud Service Providers (CSP) that have been FedRAMP authorized, or that are in the process of obtaining their FedRAMP authorization to operate. Visit the GSA's FedRAMP site for , the FedRAMP Marketplace, for more information and for to see a listing of currently approved and list of ready, in-process, and authorized CSPs.
According to NIST's Special Publication 800-145, The NIST Definition of Cloud Computing, Cloud based systems are typically leased infrastructure and use one or more of the following service models: Platform Infrastructure as a Service (PaaSIaaS); Software , Platform as a Service (SaaS); or Infrastructure PaaS), or Software as a Service (IaaSSaaS). System owners who use a CSP should understand the compliance requirements for such environments because they do vary some from traditional infrastructure solutions. Federal agencies that use cloud services fall under the auspices of both the Federal Risk Authorization Management Program (FedRAMP) program, which is managed by the GSA, and by NIST's 800-37 Risk Management Framework, which outlines how traditional FISMA assessments are conducted. When choosing a cloud service provider you should first ensure that the provider has a FedRAMP issued or recognized Authorization to Operate (ATO). Please visit GSA's list of authorized CSPs to CSPs to find the current list of FedRAMP authorized CSPs.
FedRAMP is the FISMA based authorization process that cloud service providers must follow before government government agencies may use their cloud service offering (CSO). Once a CSP has its FedRAMP authorization, Federal agencies may use them but are still subject to internal agency review and endorsement of the FedRAMP authorization. The agency authorization includes a review of the FedRAMP package, but also requires agencies to implement and assess non-fully managed controls. Agencies are asked to submit their own authorization leveraging the FedRAMP authorization acknowledging that they are approving the use of the CSO by their agency and attesting that they will separately implement, assess, and maintain the agency or customer managed controls not covered by the CSP. Agency endorsements or ATOs are posted on the FedRAMP Marketplace so that other agencies can determine who else uses the CSO and avoid duplicating effort by their agency.
...
As part of the implementation, you may need to update your application's design requirements to account for new or modified security requirements. You may also need to implement or develop specific tools to satisfy required controls. If the cost of developing or implementing a new security control is impractical or if it is not cost effective when compared to the potential risk of not implementing the control, you can apply for a security waiver to the NIH chief information security officer (CISO). You should discuss any waiver requests first with your Contracting Officer Representative (COR), and with the NCI ISSO (link sends email).
) before actually submitting the request, to determine if there are any compensating control options and whether the waiver is likely to be approved.
...
Your AO will most likely be either your Contracting Officer Representative (COR) or your Federal Program Manager (PM), sometimes one and the same. If you have trouble determining who the AO will be for your system, email the NCI ISSO (link sends email).
for assistance in making a determination.
...
