FedRAMP approval is fine, but it's just the beginning

 

Connecting state and local government leaders

The program's standardized security controls can cover basic services like email and backup storage, but after that it gets complicated.

Agencies are increasingly making plans to move to the cloud under the  Obama Administration’s ”cloud first” mandate issued in 2010, under which agencies are to default to cloud-based solutions for IT needs “whenever a secure, reliable, cost-effective cloud option exists.” The Federal Risk and Authorization Management Program (FedRAMP), also mandatory for agencies using cloud, is intended as the main tool to enable that.

More FedRAMP

What's in the future for FedRAMP?

The program could move to cover high security requirements or standardize service-level agreements for agencies and providers. Read more.

What’s already clear, however, is that FedRAMP, which provides standardized security controls for cloud services, will only be the start of the migration process. For anything beyond relatively simple needs, agencies will still have to conduct extensive risk assessments of the applications and services they want to go to the cloud for, and whether FedRAMP-accredited cloud service providers can ensure the security that’s needed for them. 

For most of the common uses such as cloud-based email and backup storage, the security controls that FedRAMP guarantees will be enough to cover what most agencies need, said John Pescatore, director of emerging security trends at the SANS Institute, and a former vice president at Gartner Inc.

“It’s when you get to more complex needs such as infrastructure as a service (IaaS), where you are using the cloud for such things as end-user storage and running custom software, that’s where it’s going to be a lot tougher for this one-size-fits-all approach to work,” he said.

FedRAMP is the result of input from a wide range of government agencies, companies and industry bodies, and currently encompasses security necessary for compliance with Federal Information Security Management Act (FISMA) low and moderate requirements. The security controls included are based on the National Institute of Science and Technology’s Special Publication 800-53, with added controls for cloud computing. Revision 4 of those standards, which FedRAMP will be updated to include, was published in April.

There are currently 116 controls included in the FISMA low version of FedRAMP, and 298 in the FISMA moderate version.

To be able to compete for agency cloud services in the future, service providers have to undergo a rigorous certification process and have their security procedures verified by a third-party assessment organization. If risks are found, the provider has to fix them and then have their procedures assessed again. The whole FedRAMP process is overseen by a Joint Authorization Board made up of CIOs from the Defense and Homeland Security departments and the General Services Administration.

Even as a baseline, FedRAMP will bring immediate benefits to agencies, said Maria Roat, the director of the FedRAMP program at GSA. It provides a standard approach for the implementation of both FISMA low and moderate security controls across the entire government.

“If you look at what agencies have been doing with FISMA up to now, it’s really been a mixed bag,” she said. “It’s depended on who the authorizing official is, who the business owners [of the systems and data] are and so on, and it’s really been all over the board as to how stringently agencies have applied the FISMA requirements.”

As to specific needs for cloud, Roat admitted that there’s still a fair amount of education going on about what the best use of cloud is, and what the FedRAMP requirements are when they do use the cloud.

“But we are starting to see questions coming in that indicate people are already starting to look to the cloud for things outside of such things as email and basic Web services,” she said. “They are looking at it for applications that will help them better serve their customers, and asking about what the appropriate security is for those.”

And that’s where complications start to muddy the picture. Each agency will have its own needs as far as data is concerned. Information assurance managers in the Defense Department, for example, will have different requirements than those in civilian agencies. Also, FISMA may be all that’s needed to secure data that’s sitting in a controlled environment, but it doesn’t address data that’s in motion between environments.

Those kinds of considerations are not covered by FedRAMP, said Dan Kent, chief technology officer and director of solutions for Cisco’s federal sector. They must be covered in the service-level agreements (SLAs) the agency strikes with the cloud providers. 

“Agencies really have to go at this application by application,” he said. “A video application for office training would need to be treated differently from one for other types of training such as aircraft repair and maintenance. It requires agencies to make a careful assessment of each application, and what the risks are for the kind of data that’s involved and how that data gets to the application.”Complications also can arise within something that, on the face of it, is covered by the FISMA requirements in FedRAMP but that also contains elements that are not. A public-facing website, for example, would handle mostly unclassified data but may also include transactions such as fee payments that would involve more sensitive credit card or personally identifiable data. 

Anything that requires classified information raises the concerns another notch. 

“Organizations that process classified information would not be in alignment with either FISMA low or moderate, and are not likely to put their data into an environment that solely considers FedRAMP,” said John Lambeth, CIO of Qinetiq NA. “Indeed, some of the key cloud providers that would go after FedRAMP business would not be in a position to process that kind of information. Again, that’s why agencies have to consider the nature of the data” they are taking to the cloud.

There is an urgency to getting agencies up to speed on what FedRAMP means for them and the cloud, Roat said.  While some organizations are well versed in both FedRAMP and FISMA, and have retained the accreditation services they will need to launch their services in the cloud, she said, others are not that far ahead.

And yet budget constraints are pushing them ever faster to the cloud.

“The problem is that the technology of cloud is not new. It’s really a culture change at agencies that’s needed about what needs to move to the cloud, how it will impact resources and so on,” she said. “When they can wrap their heads around that, the reason for FedRAMP will become more apparent to them.”

The FedRAMP program office has made it clear that FedRAMP will be a living entity, said Mel Greer, a senior fellow at Lockheed Martin, one of the few companies to so far receive a FedRAMP provider accreditation, so the program will continue to mature and include more of the agency and industry concerns. FedRAMP  is likely, for example, to soon include more requirements based on platform as a service and software as a service to augment that work that’s already been done for IaaS.

But Greer feels it’s already had an important impact, by being a driver for discussion around trust. To the extent that FedRAMP gives agencies an ability to trust cloud providers more, that will reduce their reluctance to embrace the cloud and drive wider adoption of the cloud in government.

“That contribution shouldn’t be dismissed,” he said. “It’s a very difficult thing to do, to create such a broad trust model.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.