Federal Cloud Security Program Charts Course for Ramp Up

It’s been several years since the government started to address challenges around cloud security by establishing a cloud security baseline. The General Service Administration’s (GSA) Federal Risk and Authorization Management Program (FedRAMP) set out with the goal to “do once, use many times” when it comes to security authorizations. During the first two years of FedRAMP activities, achievements:

-       More than 50 Cloud Service Providers (CSPs) are engaged in the FedRAMP process.

-       27 CSPs have completed the FedRAMP compliance process

-       These authorizations address over 160 FISMA implementations

-       The Third Party Assessment Organization (3PAO) accreditation program has been established and 31 independent auditors have received accreditation. Two thirds of these auditors are small businesses.

-       Nearly every federal agency is participating in FedRAMP.

Mid December 2014, FedRAMP revealed its new logo and program roadmap for the next two years. The document outlines the program’s priorities. The goals include:

1)    Increase stakeholder engagement

o    Expand agency implementation of FedRAMP.

o    Increase cross-agency collaboration

o    Promote greater understanding of the FedRAMP

2)    Improve efficiencies

o    Greater consistency and quality of 3PAO assessments and deliverables

o    Create flexible framework for data and workflow management

o    Align with and leverage existing security standards

3)    Continue to adapt

o    Continuous Monitoring will advance and evolve

o    Establish additional baselines

o    Integrate further with cybersecurity initiatives and contribute to policy reform

Over the next six months, program activities in pursuit of these objectives will include establishing a baseline for FedRAMP use across the federal government, provide implementation guidance for agency authority to operate (ATO), outline multi-agency authorization methodology, launch an online training program, re-launch the FedRAMP.gov website, collaborate with the Office of Management and Budget and Office of Federal Procurement Policy to develop and publish procurement guidance, release a draft baseline for FISMA high security controls, and publish a roadmap for evolving continuous monitoring. The list goes on to include laying out guidelines for addressing inconsistencies in security assessments and providing key indicators for officials performing risk analysis. In line with these goals, just before the end of the year, FedRAMP issued updated guidance for agency review of authority to operate (ATO). As a whole, these initiatives lay the ground work that will be built up on over the next two years to make the cloud security program more robust. From its outset, FedRAMP described its gradual approach as “crawl, walk, run,” and the program does indeed seem to be picking up the pace.