The management office overseeing a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services has released its initial concept of operations document.

The document provides guidelines for the Federal Risk and Authorization Program (FedRAMP) and is intended for Cloud Service Providers Organizations (3PAOs), government employees and contractors working on FedRAMP projects, and any outside organizations that want to use or understand the FedRAMP assessment process.

The document, released by the General Services Administration Feb. 7, covers the following areas:
• Section 1 describes how this document is organized and identifies the document audience.
• Section 2 describes the purpose of FedRAMP internal and external stakeholders.
• Section 3 describes FedRAMP operational areas, the phased implementation approach and the FedRAMP priority queue
• Section 4 describes how to use FedRAMP and FedRAMP security assessment packages.
• Section 5 describes the role of 3PAOs within FedRAMP, the application process for the 3PAO, FedRAMP requirements for 3PAOs and the criteria by which information systems will be evaluated.
• Section 6 describes the approach for performing FedRAMP security assessment for cloud computing systems.
• Section 7 describes how to leverage a Provisional Authorization.
• Section 8 describes the ongoing assessment and authorization (continuous monitoring) process for cloud computing systems/services with FedRAMP Provisional Authorization.
• Section 9 provides references, guidance, and regulations related to FedRAMP.
• Section 10 provides a list of all deliverables and their point of use in the FedRAMP program.
• Section 11 provides a list of acronyms.

More information about the FedRAMP project is available at FedRAMP.gov.