7 ways government is working to improve FedRAMP

 

Connecting state and local government leaders

The General Services Administration's David McClure tackles some of the myths about the FedRAMP cloud security program and offers a list of areas a group of tiger teams is working on.

  Five new tiger teams of representatives from across government are working to improve the Federal Risk Authorization and Management Program (FedRAMP) based on feedback submitted during the public comment process, the General Services Administration’s David McClure told attendees today at a symposium on high-performance cloud computing in Washington, D.C.

McClure provided a short list of concerns that GSA and government partners are working on to improve FedRAMP and sought to dispel myths about the security accreditation and authorization program designed to vet cloud providers and services.

There are still some misunderstandings surrounding FedRAMP, said McClure, associate administrator with GSA’s Office of Citizen Services and Innovative Technologies.

A big myth is that with FedRAMP the government is “blowing up [the Federal Information Security Management Act] and completely redesigning the security approach to the federal government,” McClure said during the symposium sponsored by AFCEA's Bethesda chapter at the Willard InterContinental Hotel.

Instead, FedRAMP’s “focus is to improve the security accreditation process by using an approach that can be vetted and reused across the government,” McClure said. The goal is to implement it once, use it many times and bring some consistency to how this is being done. Hopefully, this also will lower the cost for the security process, he said.


Related Coverage:

GSA fast tracks requirements for FedRAMP


GSA released a draft version of FedRAMP security controls in October 2010 with the intention of issuing the first version by the end of December. However, after reviewing public comments, federal CIO Vivek Kundra, GSA and other officials decided to step back and make sure that critical issues were properly addressed. In fact, GSA extended public comments to January 2011.

“We could have issued FedRAMP Version 1," McClure said. "It would have been OK but would not have resolved critical issues in the security process."

FedRAMP is now slated for release by the end of the summer.

Cloud computing, an on-demand model that allows access to shared computing resources, does introduce some unique security requirements. So the government is looking at FISMA and the National Institute of Standards and Technology security series 800 guidelines to determine what applies in the cloud and the different cloud delivery models, which include infrastructure as a service, software as a service and platform as a service.

“So we have assembled five new tiger teams comprised of representatives from all around government” to address industry and others concerns about FedRAMP, McClure said, noting another myth-buster: that FedRAMP is not a GSA process. It is governmentwide and community-driven, he said. Agencies contributing to the process include the Defense and Homeland Security departments, the Federal CIO Council, NIST, the National Security Agency and, at times, the intelligence community. Industry has regularly been brought in as well.

Thousands of comments were submitted, but here is a short list of areas the government is working on to improve FedRAMP:

1. Too many controls and controls for different risk levels.

The government is working to reduce the number of security controls that will be tested. GSA and others cannot eliminate all controls because many are stringent and necessary to secure government computers. However, the government is trying to differentiate between controls at the low-, medium- and high-risk levels – all of the objectives of FISMA but right now these are blurred. Right now, the focus is on all security on or all security off. That has to change, McClure said.

2. More guidance on third-party assessors’ independence.

Who assesses the cloud provider? Some service providers pick the organizations that assess them and then provide reports to the government. This is equivalent to someone picking his or her own home improvement inspector whentrying to sell a house, McClure said. There are options such as having government entities do the assessment. The government is exploring a NIST suggestion to come up with a model similar to consumer product testing or the standards health area where there is an accreditation board. This world-class board would have the independence to approve a set of accredited assessors, McClure said.

3. Continuous monitoring raises data concerns.

FedRAMP is moving toward a continuous monitoring approach, which focuses on the availability of real-time data about a system’s security posture. For a cloud provider the question is, “Do you want to give up that data for continuous monitoring?” McClure said. Often that data contains very sensitive information.

4. What is the role of the Joint Authorization Board?

The Joint Authorization Board consists of the Defense and Homeland Security departments, GSA and a sponsoring agency looking for accreditation for the cloud provider coming together to certify an Authorization to Operate. How does that work? Does the JAB have or want the authority governmentwide? Does it have the ability legally to grant authority for another agency? “We are working that out [now] and there are ways to solve” these issues, McClure said.

5. What will be the role of government security operation centers?

A big question is about where the monitoring data goes on a regular basis. “Do we create a new bureaucracy, a security operating center in one place where everything is fed into?” McClure asked, or should the government use existing security operation centers? This is another area that the government is working on, he said, adding that the government is not trying to create bureaucracy or another chokepoint for everything being used.

6. How does the government ensure that FedRAMP is complaint with the Trusted Internet Connection?

TIC is an Office of Management and Budget initiative to reduce the number external communication and Internet points of connections within agencies. This is another sensitive issue, McClure said.

7. What are the different security controls for the different cloud delivery models – IaaS, PaaS and SaaS?

“Aren’t there differences in these cloud services that warrant different types of controls and assessment?"
McClure said. These are things that have been worked out better in the second round.

"These are just minor things, right?" McClure joked.

The bottom line: FedRAMP is trying to produce a security baseline in a transparent fashion, McClure said. “If we do not have transparency and trust in this environment, it will not work."


X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.