Cloud security controls
Pentagon Seeks to Clarify FedRAMP Equivalency Policy With Private Sector
David McKeown, the Pentagon’s chief information security officer, said his office will hold an industry call within 30 to 45 days to discuss a recent memo on Federal Risk and Authorization Management Program requirements for cloud services storing classified information.
The document allows companies using cloud services lacking FedRAMP Moderate authorization to undergo equivalent compliance checks from recognized third-party assessors, Federal News Network reported.
On the sidelines of a recent MeriTalk event, McKeown told Federal News Network that there has been confusion on the memo. He clarified that the Pentagon aims to credit companies for any security controls the independent evaluators say are satisfied.
Any unmet requirements will require companies to create a customer responsibility matrix, McKeown added.
The memo indicates that obtaining a status equivalent to FedRAMP moderate clearance requires cloud services to achieve full compliance with the latest FedRAMP moderate security control baseline. Third-party assessors will determine whether such standards are met.
Category: Digital Modernization