The federal government is getting involved. The Federal Risk and Authorization Management Program (FedRAMP) seeks to publish a set of standards that any company can use for evaluating third-party external vendors. The standards have not been released yet, and the program seems to be tied up in constant discussion and bureaucracy in Washington, observers note.
A second initiative, called Common Assurance Maturity Model (CAMM), intends to develop a scoring system not unlike the PUE (power usage effectiveness) rating used for data centers. Jay Heiser, a Gartner analyst, says this third-party evaluation process holds promise but has been on hold for over six months.