cloud applications (chanpipat/

FedRAMP, CSA to craft joint cloud certification program

The Federal Risk and Authorization Management Program is working with the Cloud Security Alliance to create a common set of security controls that will make it easier for cloud service providers to get their systems certified for federal use.

The FedSTAR program will provide common processes and methodologies that will reduce the number of duplicative steps necessary for CSPs to gain certification, assess their security posture and conduct continuous monitoring under both programs. 

FedRAMP’s baseline security controls for low-, medium- or high-impact levels systems are based on the National Institute of Standards and Technology’s Special Publication 800-53. CSA’s Security, Trust and Assurance Registry (STAR) program uses a Cloud Controls Matrix -- a framework of cloud-specific security controls that are mapped to leading standards, best practices and regulations.

The two programs are among the most used cloud certifications worldwide, but because they are deployed separately, CSPs "spend valuable resources in duplicating efforts to comply with both systems," CSA Federal Director Kate Lewin said. With FedSTAR, CSPs will be able to earn two certifications with one audit, saving both time and money," she said.

“We are looking at the Cloud Control Matrix and FedRAMP’s controls to determine where the controls are similar so we could accept them between systems,” Lewin told GCN. “We want to make sure that CSPs don’t have to do the same thing twice since it is costly for CSPs and the end users.”

While Lewin acknowledged that FedRAMP and STAR controls will not become synonymous, she said her hope is that FedSTAR could reduce the amount of work necessary to get certified for FedRAMP.  CSA and General Services Administration have agreed to establish a working group to bridge the gaps between the two programs.

Third-party assessment organizations will also be involved in the process. CSA wants to work with the 3PAOs users group, and it is also reaching out to Schellman, Coalfire and Ernst & Young Europe who complete the majority of FedRAMP and STAR certifications.

“Ultimately, FedSTAR is an attempt to resolve a resource-intensive process [that requires] having to do different audits and hiring full-time employees dedicated to certifications and audits,” J.R. Santos, executive vice president of research at CSA, said.  “This is a step in the process to mutual certification, and we hope that other systems will follow suit.”

About the Author

Sara Friedman is a reporter/producer for GCN, covering cloud, cybersecurity and a wide range of other public-sector IT topics.

Before joining GCN, Friedman was a reporter for Gambling Compliance, where she covered state issues related to casinos, lotteries and fantasy sports. She has also written for Communications Daily and Washington Internet Daily on state telecom and cloud computing. Friedman is a graduate of Ithaca College, where she studied journalism, politics and international communications.

Friedman can be contacted at or follow her on Twitter @SaraEFriedman.

Click here for previous articles by Friedman.


Charter Sponsors