The Federal Risk and Authorization Management Program (FedRAMP) office has been working to speed up the accreditation process for cloud service providers looking to prove they meet the government's cybersecurity standards. As part of FedRAMP Accelerated, the program office released a Readiness Assessment Report (RAR) template to enable CSPs to show they're capable of accreditation, even if they don't have the paperwork yet.
There is a strange catch-22 with FedRAMP: Agencies are required to use authorized CSPs but can't write that requirement into solicitations.
Download: Readiness Assessment Report Template
Using the pre-approval process, CSPs can show they're well on their way to accreditation while their audit is in process.
"CSPs whose RAR is approved by the FedRAMP PMO are deemed 'FedRAMP Ready' in the FedRAMP marketplace," FedRAMP Director Matt Goodrich wrote in an Aug. 9 blog post announcing the new template. "A FedRAMP Ready designation indicates that a CSP is likely to attain a provisional authorization to operate (P-ATO)," either through the Joint Authorization Board (JAB) or an individual agency.
The RAR enables CSPs to show they have the core security controls in place before going through the lengthy documentation process. The pre-approval will also help speed the full accreditation process by "giving the government a clearer understanding of a provider's technical capabilities up-front in the assessment process," Goodrich said.
The RAR must be approved by a FedRAMP-designated third party assessment organization (3PAO).
The template also clarifies that an approved RAR does not guarantee a full ATO.