McKenna Long & Aldridge, LLP Government Contracts Advisory:
The General Services Administration (GSA) has released the Federal Risk and Authorization Management Program (FedRAMP) Concept of Operations (CONOPS), which outlines the procedures cloud service providers must follow to obtain provisional authority to operate cloud solutions for federal agencies. The CONOPS contains the first detailed description of the specific processes cloud service providers, the FedRAMP Project Management Office and FedRAMP-accredited third party assessment organizations will follow under FedRAMP’s government-wide authorization regime, and is intended to provide the relevant stakeholders — as well as any outside organizations seeking to better understand FedRAMP procedures — with a step-by-step explanation of the FedRAMP assessment process. Specifically, the CONOPS provides a detailed explanation of the roles and responsibilities of these entities in: (1) accrediting third party assessment organizations; (2) performing security assessments of cloud service providers; (3) leveraging provisional authority to operate cloud solutions, and (4) performing ongoing continuous monitoring and audits.

FedRAMP is designed to provide a standardized approach to obtaining an authorization to operate cloud services in compliance with the Federal Information Security Management Act of 2002 (FISMA), Pub. L. No. 107-347, which mandates that any IT system handling federal data must undergo security authorization and receive an authorization to operate. The CONOPS is the latest in a series of guidance mandated by the FedRAMP Policy Memorandum issued by the Office of Management and Budget (OMB) on December 8, 2011. See McKenna Long & Aldridge LLP Government Contracts Advisory, OMB Establishes Government-Wide Authorization for Cloud Computing Services. The December 2011 FedRAMP Policy Memo launched the FedRAMP Project Management Office, established an interagency Joint Authorization Board composed of executives from DoD, DHS and GSA, and called for publication of this CONOPS. The Joint Authorization Board released its list of security controls in early January 2012, and the FedRAMP process is slated to become fully operational by June of this year.

Contractors seeking to market cloud solutions to federal agencies should closely review the procedures outlined in the CONOPS since these requirements will apply to all cloud deployment models (e.g., public clouds, community clouds, private clouds) and all cloud service models (e.g., Infrastructure as Service, Platform as Service, Software as Service), and contractors should expect to see these procedural requirements incorporated in future solicitations and contracts. While the security assessment of cloud solutions is a FedRAMP priority, the highly structured, highly detailed, and potentially iterative process for obtaining authority to operate cloud solutions described in the CONOPS may slow down agencies’ anticipated timelines for transitioning to the cloud. Further, the continuous monitoring requirements and requirements for notification of changes to security procedures may impose substantial ongoing reporting obligations stemming from cloud service providers’ regular refresh of security controls. Ultimately, however, the possibility of undergoing a single authorization process to provide cloud services on a government-wide basis will provide cloud service providers with a streamlined and efficient process for contracting with federal agencies.

McKenna Long & Aldridge will continue monitoring key developments in this area and provide periodic updates.