Warren Udy

This goes towards the policy needs of cloud computing. Please read and comment on the documents.

Dear Security Working Group Members –

As members of the Federal Cloud Computing Initiative, we wanted to let you know of some big news!

We are pleased to announce the release of Proposed Security Assessment and Authorization for U.S. Government Cloud Computing, documentation that reflects the best efforts of government in addressing the unique security challenges presented by cloud computing. This document was developed by an inter-agency team of the General Services Administration, the National Institute of Standards and Technology, the CIO Council, and other working bodies such as the FCCI committees and working groups.

This document is the basis for what most of us know as FedRAMP – the Federal Risk and Authorization Management Program. FedRAMP will provide standard Assessment and Authorization (A&A) services for cloud computing solutions used by multiple Federal agencies. The published document includes: the FedRAMP baseline security requirements, suggested A&A processes, and details on the role of FedRAMP in continuous monitoring. Reference documents with additional information have also been published.

All documents are available for downloading at http://www.FEDRAMP.gov.

This document and the FedRAMP program in general have been top priorities for the FCCI over the past year and much of the initial content for this document stems from work completed by the Cloud Computing Advisory Council’s Security Working Group. Our PMO sincerely appreciates the time and effort that you all provided to make this a reality.

However, the work is not done. As the title implies, these are proposed documents for A&A’s of cloud systems through FedRAMP. We know the work we have done is not perfect and are seeking help to improve this document. We are requesting feedback from the community to make FedRAMP work for the Federal Government as well as the vendor community. As members of the FCCI’s governance groups, we would appreciate your input once again before the first phase of FedRAMP becomes operational in the first quarter of CY2011. The document can be accessed at http://www.FedRAMP.gov, and all comments must also be submitted through this website. The comment period ends at 11:59 pm EST on Thursday, December 2, 2010. We look forward to your feedback and are grateful for the role that you all played in the creation of this document.

Thank you again and congratulations!