The U.S. Government has already established a program guiding the adoption of commercial cloud services, in the form of FedRAMP. The FedRAMP program has extensive requirements for Cloud Service Providers (CSPs), and includes requirements for many of the areas in this management memo, including Security Controls, Cyber Incident Reporting, Security Assessments, and Information Security Continuous Monitoring.
OMB should clarify and make clear in this management memo that requirements for a) CSPs doing business with the Federal Government and b) U.S. Government agencies procuring cloud services, are established and maintained solely through the FedRAMP program.
If separate procurement guidance is required for cloud services, then OMB should issue separate guidance, coordinated with the FedRAMP Program Management Office (PMO), that is specific to the FedRAMP program.
The U.S. Government has already established a program guiding the adoption of commercial cloud services, in the form of FedRAMP. The FedRAMP program has extensive requirements for Cloud Service Providers (CSPs), and includes requirements for many of the areas in this management memo, including Security Controls, Cyber Incident Reporting, Security Assessments, and Information Security Continuous Monitoring.
OMB should clarify and make clear in this management memo that requirements for a) CSPs doing business with the Federal Government and b) U.S. Government agencies procuring cloud services, are established and maintained solely through the FedRAMP program.
If separate procurement guidance is required for cloud services, then OMB should issue separate guidance, coordinated with the FedRAMP Program Management Office (PMO), that is specific to the FedRAMP program.