Similar measures include using passwords 12 characters long with a mixture of upper and lower case letters, numbers and characters.
The Office of Management and Budget and Federal Chief Information Officer Steven VanRoekel sent a memo to agency chief information officers Dec. 8, 2011, outlining steps agencies should take to begin implementing FedRAMP.
The memo called on the CIO Council to, with 30 days of the memo’s release, publish a baseline of security controls, privacy controls and controls that NIST selected for continuous monitoring.
VanRoekel outlined responsibilities of the four FedRAMP stakeholders, including the Department of Homeland Security, the Joint Authorization Board, the Program Management Office and federal agencies. Each stakeholder plays a part in streamlining processes to “reduce procurement and operating costs,” VanRoekel wrote in the memo.
The Joint Authorization Board will assess contracts. This board consists of DHS, GSA and Pentagon security experts. The board will define and maintain security authorization requirements and approve accreditation criteria for third-party assessment organizations.
The board will establish, review and grant authorizations. The board will also ensure regular updates of authorizations.
DHS will maintain its role as the operational overseer, VanRoekel’s memo said. DHS will coordinate cybersecurity operations and develop monitoring standards and guidance for agencies.
GSA will establish the FedRAMP Program Management Office, which will create a process for agencies to follow FedRAMP security measures that are established by the Joint Authorization Board.
The office will create a methodology for “harmonizing agency-specific security,” as well as a mechanism to request authorization and guidance, according to the memo. Through the office, GSA will coordinate with DHS for monitoring as well as with NIST to develop a uniform assessment program, VanRoekel said.
It will also establish a central repository detailing requests and develop templates to govern information exchange between departments, agencies and the program management office.
Agencies will use board- and office-established guidelines to ensure that applicable contracts comply with FedRAMP. Agencies will also provide VanRoekel an annual report on certification of cloud services.
VanRoekel also called for standardized contract language to improve the acquisition process. Acoording to VanRoekel, the result is a “repository of authorization packages for cloud services that can be leveraged government-wide.”
“Much like other compliance frameworks, it provides an auditable and consistent model against which the contractor community can build robust, accredited managed services,” Lambeth said.