Security Assessment and Authorization Policy for 18F
The 18F Program develops a security assessment plan that describes the scope of the assessment including:
- Security controls and control enhancements under assessment
- Assessment procedures to be used to determine security control effectiveness
- Assessment environment, assessment team, and assessment roles and responsibilities
cloud.gov is designed for compliance with the Federal Risk and Authroization Management Plan and has adopted the FedRAMP Assessment and Authorization program as the basis for its Security and Priavacy compliance activities. cloud.gov engages a FedRAMP Accredited Third Pary Assessment Organzation (3PAO) to develop a compliant security assessment plan.
cloud.gov has engaged the 3PAO to assess the security controls in the information system at least annually to determine the extent to which the controls are implemented correctly, operation as intended, and producing the desired outcome with respoect to meeting the security requirements for the system.
cloud.gov has engaged the 3PAO to produce a security assessment report that documents the issues, test activities, findings, and recommendations from the assessment.
18F will deliver all documents used in or created during the assessment to generate a complete FedRAMP Authorization package. The package is transmitted to the FedRAMP Program Management Office (PMO) for submission to the FedRAMP JAB