A cloud service provider (CSP) providing cloud services currently being used by the United States

federal government should obtain FedRAMP Authorization to assure compliance to stringent

government standards. FedRAMP is a government-wide program that provides a standardized

approach to security assessment, authorization, and continuous monitoring for cloud products and

services. FedRAMP enables agencies to leverage the security assessments of CSPs that have been

approved by FedRAMP, and establishes a baseline set of security controls for cloud computing, based

on NIST SP 800-53. FedRAMP also helps CSPs to demonstrate their compliance with relevant laws

and regulations, such as FISMA, FIPS, and NIST standards. FedRAMP Authorization can be obtained

through two paths: a provisional authorization from the Joint Authorization Board (JAB) or an

authorization from an individual agency12.

The other options are incorrect because:

A . CSA STAR Level Certificate: CSA STAR is a program for security assurance in the cloud that

encompasses key principles of transparency, rigorous auditing, and harmonization of standards. CSA

STAR Level Certificate is one of the certification options offered by CSA STAR, which is based on the

ISO/IEC 27001 standard and the CSA Cloud Controls Matrix (CCM). CSA STAR Level Certificate is not

specific to the US federal government standards, and does not guarantee compliance with FedRAMP

requirements3.

B . Multi-Tier Cloud Security (MTCS) Attestation: MTCS is a cloud security standard developed by the

Singapore government to provide greater clarity and transparency on the level of security offered by

different CSPs. MTCS defines three levels of security controls for CSPs: Level 1, Level 2, and Level 3,

with Level 3 being the most stringent. MTCS Attestation is a voluntary self-disclosure scheme for

CSPs to declare their conformance to the MTCS standard. MTCS Attestation is not applicable to the

US federal government standards, and does not ensure compliance with FedRAMP requirements4.

C . ISO/IEC 27001:2013 Certification: ISO/IEC 27001 is a standard for information security

management systems that specifies the requirements for establishing, implementing, maintaining,

and continually improving an information security management system within the context of the

organization. ISO/IEC 27001 Certification is an independent verification that an organization

conforms to the ISO/IEC 27001 standard. ISO/IEC 27001 Certification is not exclusive to cloud

computing or the US federal government standards, and does not cover all aspects of FedRAMP

requirements5.

Reference:

Learn What FedRAMP is All About | FedRAMP | FedRAMP.gov

How to Become FedRAMP Authorized | FedRAMP.gov

STAR | CSA

Multi-Tiered Cloud Security Standard (MTCS SS)

ISO - ISO/IEC 27001 — Information security management