Cloud service providers may have leeway until fall to secure their service offerings to agencies before Federal Risk and Authorization Management Program implementation kicks in, Nextgov reported Wednesday.
Frank Konkel writes vendors have been working to get assessed ahead of the June 5 deadline but changes to FedRAMP baseline cloud computing standards in line with National Institute of Standards and Technology revisions to its security and privacy controls for federal information systems may cause delays in enforcement.
“Over the next three months through the end of the fiscal year, it’ll be kind of a slow walk where as long as you’re in the process of making positive movement, you’re moving toward certification,” Maria Horton, CEO of FedRAMP-accredited third-party assessment organization EmeSec, was quoted as saying.
Horton expects “ramped-up investment” from CSPs to start Oct. 1, when NIST SP 800-53 Rev. 4 is due to come out as vendors want to avoid being found out of compliance.
“Folks will be preparing. Their livelihood depends on it,” she said.
Some software as a service and infrastructure as a service companies have achieved authority-to-operate certificates, with several other CSPs granted provisional ATOs, in the two years since FedRAMP’s inception.