Cloud Security Alliance Announces FedSTAR, a New Joint Certification System with FedRAMP

System to be based on a common framework for deployment, use and maintenance


Seattle, WA– May 14, 2018 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, today announces that it has partnered with the Federal Risk and Authorization Management Program (FedRAMP), at the U.S. General Services Administration (GSA), to implement a system for the recognition between the common requirements of FedRAMP and CSA STAR Program to reduce the audit burden for CSPs.

“FedRAMP and CSA’s STAR are among the most used cloud certifications world-wide, however, because they are deployed separately and incompatible, cloud service providers (CSP) spend valuable resources in duplicating efforts to comply with both systems,” said Kate Lewin, Federal Director, Cloud Security Alliance.
“Complying with multiple systems is not only confusing, costly and ineffective, but acts as a barrier to market entry for smaller companies. That’s about to change with the development of FedSTAR. Now, CSPs will be able to earn two certifications with one audit, saving both time and money,” she added.

Cloud service providers are in desperate need of tools they can use to analyze and assess their security posture, as well as use to conduct continuous monitoring. FedSTAR will provide processes and methodologies that allow CSPs to stop replicating steps that are common between FedRAMP and STAR. This collaboration will demonstrate the effectiveness and efficiency of joint efforts with the U.S. Government and industry to reduce compliance burdens on private-sector companies.

CSA and the GSA have agreed to establish a working group to begin work on bridging the gaps. The group will engage independent, third-party assessor companies to conduct a gap analysis between STAR and FedRAMP controls.

Further, the working group will seek input from all stakeholders, including cloud service providers, the security community (CISOs, risk managers) and Federal government as it sets out to determine which processes and procedures from each system can be recognized and accepted by both, including the Independent Third-Party Assessors certification processes, documentation format, and standards for mutual acceptance. Individuals and organizations interested in participating in the working group are invited to contact Katie Lewin, Federal Director, CSA.