State and local leaders look to FedRAMP changes as potential inspiration
tadamichi via Getty Images
By
Chris Teale
The federal government is looking to cut red tape around its security assessment program and embrace automation. State and local leaders believe they can learn a lot from the revamp.
News that the federal government will revamp its cloud security assessment and authorization program already has state and local leaders thinking about lessons their own program can learn.
The General Services Administration late last month launched a new version of its Federal Risk and Authorization Management Program, known as FedRAMP. This accelerated effort, called FedRAMP 20x, looks to use more automated security validations and compliance, and work more closely with cloud vendors.
Those involved in the equivalent program for state and local governments, educational institutions and others — known as GovRAMP, previously StateRAMP — see these changes as being potentially exciting for their own future, especially when it comes to improving efficiency.
“We are always innovating, we're always thinking about how we improve security,” Leah McGrath, GovRAMP’s executive director, said during a webinar last week. “How do we improve that process, and really importantly, without sacrificing security, because that's something that I'm so proud of.”
“All of us in our daily roles, in whether it's IT leadership, cybersecurity leadership, we must be looking for efficiencies, and where we can improve our processes on a continuous basis,” agreed J.R. Sloan, Arizona’s chief information officer and president of the GovRAMP board of directors.
One aspect that has particularly intrigued those outside FedRAMP is the desire to collaborate more closely with cloud companies. GSA said in its announcement of FedRAMP 20x that it wants to make it easier for cloud providers to work with the government in developing cloud security standards and other solutions. And it pledged to hold working groups designed to gather industry input, provide technical guidance and encourage pilot programs.
“We had opportunities where cloud providers would come in and give us ideas on how to how to do things better,” Brian Conrad, director of strategic global compliance initiatives at security company Zscaler and a former acting FedRAMP director, told Route Fifty in a recent interview at Zscaler’s Public Sector Summit. “There's a lot of experience if you look at the sum of cloud providers that are in the FedRAMP ecosystem. There's a lot of technology that can be brought to bear on some of these tricky issues. I'm very enthusiastic to hear about really engaging with industry to see what technology we can bring in, what best practices we can bring.”
Officials in GovRAMP are similarly intrigued by having an even stronger partnership with cloud companies and finding ways to ensure cloud offerings are secure while making some of the requirements less onerous and expensive.
“We are really about driving good security outcomes and that continuous feedback loop to make sure that we are, as an ecosystem, partnering together,” McGrath said. “We are all in this together, for sure.”
Part of the push towards greater efficiency could mean an even bigger role for GovRAMP’s framework harmonization efforts, which streamline the patchwork of rules and guidelines issued by various government agencies that businesses and the public sector must then comply with.
That effort picked up steam through a task force that focuses on boosting cloud security within the criminal justice sector to align with the FBI’s Criminal Justice Information Services, and McGrath said another task force on the use of artificial intelligence in cloud products will follow soon. Harmonizing regulations and rules also helps drive down compliance costs.
“We recognize that helps simplify compliance, but also we hope, by simplifying compliance, we can strengthen security so compliance teams and security teams aren't having to just focus so much on compliance and that instead, they're able to focus on really delivering strong security,” McGrath said.
There is much uncertainty surrounding the future of FedRAMP and GSA, as the agency has laid off workers en masse, including in many of its technology offices. Sloan said GovRAMP can provide “stability in some uncertain times.” And Conrad noted that “disruptive events” can “create innovation.”
“Any introduction of change feels uncomfortable, and it feels uncertain,” Sloan said. “We've all seen a rapid pace of change within the federal government, and so that introduces uncertainty. You just have to hold on and navigate and go one step at a time. Don't panic one way or the other.”
NEXT STORY: GSA launches FedRAMP revamp