A government agency can’t just use any ol’ cloud service.
The Department of Defense or Veterans Affairs, or NASA, has highly sensitive data after all, and cloud providers wanting government clients must prove the security of their services.
That’s where FedRAMP comes in.
Real quick, What’s FedRAMP? Since its inception in 2011, the Federal Risk and Authorization Management Program, or FedRAMP, provides standards and requirements for cloud-based tools used by the government—a framework that is slowly evolving to address large-scale, thorny threats like supply-chain attacks.
FedRAMP leverages National Institute of Standards and Technology (NIST) standards and guidelines. Before FedRAMP, each agency had its own approval process when it came to adopting certain security frameworks. Once certified, a FedRAMP-ified cloud service can be used across multiple agencies.
FedRAMP’s guiding principle is reuse: “Do once, use many times,” said Brian Conrad, acting director of FedRAMP, in an email to IT Brew. “This is to promote and enable the federal government to accelerate the adoption of cloud computing by creating transparent standards and processes for security authorizations to allow agencies to leverage security authorizations on a government-wide scale.”
Level up: Certification levels—low, moderate, and high—vary based on the critical nature of the information being held.
Join the club: There are 280 commercial cloud services that have a FedRAMP authorization, and over 4,500 instances of reuse of those authorized services, according to Conrad.
Dark clouds: Cloud services can introduce additional risks if software supply-chain components are compromised. (Just look at a September 2021 report from Palo Alto Networks that found a lot of insecure configurations in the third-party code templates of cloud infrastructures.)
Read more here.—BH
Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @BillyHurls on Twitter.
