In December 8, 2011, the CIO of the United States, defined how federal agencies should use Federal Risk and Authorization Management Program (FedRAMP). FedRAMP consists of a subset of NIST Special Publication 800-53 security controls specifically selected to provide protection in cloud environments. A subset has been defined for the FIPS 199 low categorization and the FIPS 199 moderate categorization.

As federal agencies embrace cloud technologies, they must also ensure that the cloud provider, operating system, and applications operate in a secure manner. With that, agencies are supposed to use FedRAMP Authorized Cloud Service Providers. The second facet is to ensure that the system being utilized has been certified and approved.

The thought process was to develop a framework so that once an agency had invested the effort to certify a platform and/or software package it could be utilized by others without a total rework. This standardized approach would encompass system authorizations, security assessments, and continuous monitoring for cloud developed products and services. FedRAMP is mandatory for all Federal Agency cloud deployments and service models that are operating at the FIPS 199 low, moderate, and high-risk impact levels.

For those agencies already utilizing or wanting to deploy IBM Maximo Asset Management systems, the FedRAMP Program Management Office (PMO) has listed Maximo SaaS offering as “In Process”. This means that the effort undertaken at this point is enough that the PMO reasonably expects that the system approval will be granted in due time. By the fall of 2018, it is expected that Maximo will be fully authorized for FEDRAMP.

ITS has CISSP and CAP certified security personnel that can speak to you about your move to FEDRAMP and assist you with your choice of providers.  Contact ITS to discuss your options.