Agencies to report progress with FedRAMP

Tom McAndrew, Chief Executive Officer, Coalfire

The FedRAMP PMO recently conducted webinars on April 23 and 25 regarding Agencies requirement to report their progress on compliance with FedRAMP. The discussion covered the FedRAMP progress to date, the reporting requirements and process for moving services to FedRAMP authorized cloud service providers. You will find the archived webinars on the Past Events page of when they are available.

This is important to government IT procurement and FedRAMP as this is the first report on progress with FedRAMP from the Agencies.  The Policy Memo from Dec. 2011 established the cloud first policy along with an original reporting date of April 30. Since then, OMB issued a new memo that supercedes the original FedRAMP memo and states new reporting dates for Agencies to report compliance. These dates are now quarterly instead of annually with reporting to be done through Portfolio Stat; the first reporting date is now May 15, 2013. Reporting is then followed by "quarterly reporting on Aug 31, Nov 30, Feb 28, 2014 and last day of each quarter going forward," stated in the April 23 & April 25 webinars that the FedRAMP PMO conducted.

Each Agency is required to report all cloud services that cannot meet FedRAMP requirements with rationale and proposed resolutions. The original FedRAMP memo can be referenced here:   

From the memo is the reporting requirement and the applicability:

"vii. Provide to the Federal Chief Information Officer (CIO) annually on April 30, a certification in writing from the Executive department or agency CIO and Chief Financial Officer, a listing of all cloud services that an agency determines cannot meet the FedRAMP security authorization requirements with appropriate rationale and proposed resolutions."

“This memorandum is applicable to:
a. Executive departments and agencies procuring commercial and non-commercial cloud services that are provided by information systems that support the operations and assets of the departments and agencies, including systems provided or managed by other departments or agencies, contractors, or other sources;
b. All cloud deployment models4 (e.g., Public Clouds, Community Clouds, Private Clouds, Hybrid Clouds) as defined by NIST;5 and
c. All cloud service models (e.g., Infrastructure as a Service, Platform as a Service, Software as a Service) as defined by NIST.6 “

This means that Agencies need to provide inventory of cloud services that aren't yet meeting FedRAMP requirements (or advise when they will). If you are a cloud service provider and have not initiated the FedRAMP process, contact us and we can guide you as to what to do and discuss next steps such as an Assessment  or any Advisory work to get you ready for FedRAMP.

For agencies that have to report on cloud services we are happy to provide assistance to you in understanding what technologies or architectures you may want to pursue to accommodate as a resolution for any cloud services that won't be able to meet FedRAMP security authorizations.

Tom McAndrew


Tom McAndrew — Chief Executive Officer, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS