The FedRAMP PMO recently conducted webinars on April 23 and 25 regarding Agencies requirement to report their progress on compliance with FedRAMP. The discussion covered the FedRAMP progress to date, the reporting requirements and process for moving services to FedRAMP authorized cloud service providers. You will find the archived webinars on the Past Events page of FedRAMP.gov when they are available.
This is important to government IT procurement and FedRAMP as this is the first report on progress with FedRAMP from the Agencies. The Policy Memo from Dec. 2011 established the cloud first policy along with an original reporting date of April 30. Since then, OMB issued a new memo that supercedes the original FedRAMP memo and states new reporting dates for Agencies to report compliance. These dates are now quarterly instead of annually with reporting to be done through Portfolio Stat; the first reporting date is now May 15, 2013. Reporting is then followed by "quarterly reporting on Aug 31, Nov 30, Feb 28, 2014 and last day of each quarter going forward," stated in the April 23 & April 25 webinars that the FedRAMP PMO conducted.
Each Agency is required to report all cloud services that cannot meet FedRAMP requirements with rationale and proposed resolutions. The original FedRAMP memo can be referenced here: https://cio.gov/wp-content/uploads/2012/09/fedrampmemo.pdf
From the memo is the reporting requirement and the applicability:
"vii. Provide to the Federal Chief Information Officer (CIO) annually on April 30, a certification in writing from the Executive department or agency CIO and Chief Financial Officer, a listing of all cloud services that an agency determines cannot meet the FedRAMP security authorization requirements with appropriate rationale and proposed resolutions."
“This memorandum is applicable to:
a. Executive departments and agencies procuring commercial and non-commercial cloud services that are provided by information systems that support the operations and assets of the departments and agencies, including systems provided or managed by other departments or agencies, contractors, or other sources;
b. All cloud deployment models4 (e.g., Public Clouds, Community Clouds, Private Clouds, Hybrid Clouds) as defined by NIST;5 and
c. All cloud service models (e.g., Infrastructure as a Service, Platform as a Service, Software as a Service) as defined by NIST.6 “
This means that Agencies need to provide inventory of cloud services that aren't yet meeting FedRAMP requirements (or advise when they will). If you are a cloud service provider and have not initiated the FedRAMP process, contact us and we can guide you as to what to do and discuss next steps such as an Assessment or any Advisory work to get you ready for FedRAMP.
For agencies that have to report on cloud services we are happy to provide assistance to you in understanding what technologies or architectures you may want to pursue to accommodate as a resolution for any cloud services that won't be able to meet FedRAMP security authorizations.