Federal Risk and Authorization Program
The Federal Risk and Authorization Management Program (FedRAMP) created a government-wide standardized approach for assessing, authorizing, and monitoring the security of systems providing cloud products and services to Federal agencies. Under this program, third party assessment organizations perform independent verifications of the security controls utilized by cloud service providers’ information systems. However, the reporting format prescribed by FedRAMP for third party assessments differs substantially from the format AICPA members currently use to report on controls at service organizations. The ASEC Trust Information Integrity Task Force formed a working group which has met with FedRAMP representatives on multiple occasions and has made significant progress in developing a reporting format that would comply with current AICPA reporting standards while also meeting the requirements of the FedRAMP program. A recent FedBizOpps notice announced, effective March 25, 2013, FedRAMP will stop accepting new application packages from organizations applying to become accredited Third Party Assessment Organizations and will not accept any resubmitted application packages from previous applicants in response to letters of non-conformity from the FedRAMP PMO. Any firms considering applying before March 25, 2013 should indicate in their application packages the report is subject to final approval between FedRAMP and the AICPA.