Page History

As of June of 2014, all federal organizations are restricted to using Cloud Service Providers (CSP) that have been FedRAMP authorized, or that are in the process of obtaining their FedRAMP authorization to operate. Visit GSA's FedRAMP site, the FedRAMP Marketplace, for more information and to see a list of ready, in-process, and authorized CSPs.

According to NIST's Special Publication 800-145, The NIST Definition of Cloud Computing, Cloud based systems are typically leased infrastructure and use one or more of the following service models: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS).  System owners who use a CSP should understand the compliance requirements for such environments because they do vary some from traditional infrastructure solutions. Federal agencies that use cloud services fall under the auspices of both the Federal Risk Authorization Management Program (FedRAMP) program, which is managed by the GSA, and by NIST's 800-37 Risk Management Framework, which outlines how traditional FISMA assessments are conducted. When choosing a cloud service provider you should first ensure that the provider has a FedRAMP issued or recognized Authorization to Operate (ATO). Please visit GSA's list of authorized CSPs to find the current list of FedRAMP authorized CSPs.

...