The 47-page concept of operations outlines how agencies and contractors should proceed in certifying services so a service from one contractor could be used in multiple agencies.
GSA says products including infrastructure-as-a-service tools will be the first to go through the FedRAMP process.
Independent auditors that undergo an application process to be government-approved will evaluate products’ compliance.
After passing the audit phase, officials from the Department of Homeland Security and FedRAMP will evaluate and continue to re-evaluate services deployed in agencies.
Service providers may re-submit a product or service to the auditors for reconsideration and a panel of security experts will reassess whether the product will be used or not.
GSA’s guide designates the DHS as the lead body in coordinating recovery efforts in the event of a breach on the agency side.
DHS will also “assist government-wide and agency-specific efforts to provide adequate, risk-based and cost-effective cybersecurity” and develop guidance to implement trusted services and cybersecurity.