What is FedRAMP? How does it help with cloud-computing environments? Can we use it here in our state? I expect these questions will be asked across America over the next few years in the halls of state and local governments.
The federal government is well down the path to defining security controls required in cloud computing. State and local government officials need to take notice and leverage this excellent federal work. If not, the many benefits of cloud computing will be overcome by the tough challenges in this new environment.
The Federal Risk and Authorization Program (FedRAMP) is a “risk management program for large outsourced and multi-agency information systems used by the U.S. government.” FedRAMP was created to support government cloud computing plans.
According to Techtarget.com:
“FedRAMP is intended to facilitate the adoption of cloud computing services amongst federal agencies by evaluating those services offered by vendors on behalf of the agencies. The evaluations will be based on a unified risk management process that includes security requirements agreed upon by the federal departments and agencies. Because the services are vetted by FedRAMP, each agency does not need to conduct its own risk management program. This reduces duplication of effort, the time involved in acquiring services and costs.”
In my view, this detailed work is exactly the kind of effort that governments require across all 50 states. While there will no doubt be a need for some local tweaking, the same processes and procedures used for the FedRAMP program can benefit state and local government around the world - and not just in the USA.
At a recent symposium on high-performance cloud computing, Dave McClure, a General Services Administration expert on FedRAMP, told the audience that five new tiger teams with representatives from across government are working to improve FedRAMP based on feedback submitted from the public. These teams are working on (at least) seven improvements to the program.
According to Government Computer News (GCN), the improvements will address these seven issues:
1) Too many controls and controls for different risk levels.
2) More guidance on third-party assessors’ independence.
3) Continuous monitoring raises data concerns.
4) What is the role of the Joint Authorization Board?
5) What will be the role of government security operation centers?
6) How does the government ensure that FedRAMP is complaint with the Trusted Internet Connection?
7) What are the different security controls for the different cloud delivery models – Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS)?
I urge readers to learn more about FedRAMP – especially if you are implementing cloud computing initiatives and exploring opportunities. Efforts are underway by the National Association of State Chief Information Officers (NASCIO) to work together with GSA and others in the federal government to leverage contracts, standards and more in the cloud.
The issues that Dave McClure recently discussed are the same issues that are bound to cause state and local governments to stumble in the cloud in the near-term. Security, privacy and legal concerns regarding cloud computing must be (and can be) addressed holistically. Let’s apply that famous 80-20 rule and get onboard this ship to the greatest extent possible. We will save time and money if we do.
How? What are next steps? It starts with education – learn about and become engaged with current activities.
Now what did FedRAMP stand for again?
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.
During his distinguished career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprisewide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.
He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and nonprofit institutions.
He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US/UK military facility.
Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.
He holds a master's degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor's degree in CS from Valparaiso University in Indiana.
Follow Lohrmann on Twitter at: @govcso
Building effective virtual government requires new ideas, innovative thinking and hard work. From cybersecurity to cloud computing to mobile devices, Dan discusses what’s hot and what works in the world of gov tech.