To ensure that the cloud solutions and services being implemented by government agencies are secure and meet an established set of standards, experts from multiple federal agencies, including GSA, NIST, DHS, DOD, NSA, OMB and private enterprises came together to form the Federal Risk and Authorization Management Program (FedRAMP).
FedRAMP analyzes the cloud services and solutions that vendors are looking to sell to federal agencies to ensure they meet established security benchmarks. One of the many goals of FedRAMP was to, “Accelerate the adoption of secure cloud solutions through reuse of assessments and authorizations.”
Unfortunately, the program is not really “accelerating” anything.
Understaffed and suffocating under a load of applications from an enormous ecosystem of vendors and cloud providers seeking to sell their offerings to federal agencies, FedRAMP has fallen woefully behind.
The acting director of FedRAMP, Matt Goodrich, recently took steps to help alleviate this backlog. The first step was to issue an RFQ for management and technical support for the program. This RFQ would bring in additional staff resources to wade through the ocean of applications and expedite the approval process. The second step that FedRAMP has taken is more of a short term fix, and could lead to future issues – FedRAMP Ready.
FedRAMP Ready effectively allows cloud service providers and vendors that have submitted their paperwork and begun the FedRAMP approval process to advertise that they are “FedRAMP Ready” and sell their products and solutions to federal agencies.
With the program understaffed and falling behind, it makes complete sense to create some sort of compromise so there are available cloud solutions for federal agencies to acquire and so that good, capable companies can sell their secure services to the government and not get excluded from competing for federal agency dollars.
However, this FedRAMP Ready designation does create some potential problems.
If companies can begin selling cloud solutions to federal agencies without having been through the entire FedRAMP approval process, it could lead to a situation where unproven and unsecure cloud solutions are being sold to the federal government. It could be catastrophic if sensitive citizen or government information is stored on these clouds and then subsequently compromised before the official auditing and approval process could conclude.
Then there’s the question of moving data out of the cloud. Should a FedRAMP Ready cloud service or solution fail to make it through the approval process, what happens to the government agencies that have already purchased and implemented their solutions?
If sensitive government or citizen data is being stored in a cloud that doesn’t meet FedRAMP standards, will that data have to be moved? How is that accomplished? How does the agency know that all data is wiped out of the cloud and not compromised in the future?
Although FedRAMP is falling behind on auditing and approving cloud service providers and vendors, letting enterprises sell their cloud services to the federal government before they’re technically approved could come back to haunt the program. By implementing unapproved solutions, the federal government could be compromising sensitive information and putting themselves in a situation where they’re scrambling to respond to security incidents, or moving and purging data from a cloud in the future.
The better route is the one FedRAMP is taking with the RFQ. Instead of making an easy on-ramp for FedRAMP, the program should instead be focused on increasing its capacity for audits and approvals and ensuring that only qualified, secure solutions make it into federal agencies.
The post Is the Government Ready for FedRAMP Ready? appeared first on Techsource.