Eyeing supply chains, FedRAMP keeps government services in the cloud

One government official expects FedRAMP to be at the forefront of zero-trust and SBOMs.
article cover

Douglas Rissing/Getty Images

· 4 min read

A government agency can’t just use any ol’ cloud service.

The Department of Defense or Veterans Affairs, or NASA, has highly sensitive data after all, and cloud providers wanting government clients must prove the security of their services.

That’s where FedRAMP comes in.

Real quick, What’s FedRAMP? Since its inception in 2011, the Federal Risk and Authorization Management Program, or FedRAMP, provides standards and requirements for cloud-based tools used by the government—a framework that is slowly evolving to address large-scale, thorny threats like supply-chain attacks.

FedRAMP leverages National Institute of Standards and Technology (NIST) standards and guidelines. Before FedRAMP, each agency had its own approval process when it came to adopting certain security frameworks. Once certified, a FedRAMP-ified cloud service can be used across multiple agencies.

FedRAMP’s guiding principle is reuse: “do once, use many times,” said Brian Conrad, acting director of FedRAMP, in an email to IT Brew. “This is to promote and enable the federal government to accelerate the adoption of cloud computing by creating transparent standards and processes for security authorizations to allow agencies to leverage security authorizations on a government-wide scale.”

Level up: Certification levels—low, moderate, and high—vary based on the critical nature of the information being held.

Join the club: There are 280 commercial cloud services that have a FedRAMP authorization, and over 4500 instances of reuse of those authorized services, according to Conrad.

Dark clouds: Cloud services can introduce additional risks if software supply-chain components are compromised. (Just look at a September 2021 report from Palo Alto Networks that found a lot of insecure configurations in the third-party code templates of cloud infrastructures.)

At the end of 2020, National Institute of Standards and Technology’s (NIST) released “Rev 5” of its “800-53” security privacy and controls. The fifth revision, which FedRAMP is scheduled to follow, adds a number of controls related to the supply chain, including the identification of components, creation of a supply-chain risk-management team, and documentation of provenance.

Top insights for IT pros

From cybersecurity and big data to software development and gaming. Our IT Brew newsletter delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.

“You may have to have a whole map of your software supply chain,” said Nate Smolenski, head of cyber intelligence strategy at Netskope, a FedRAMP-certified security provider of security and access-policy enforcement for Veterans Affairs.

Since Rev 5, IT pros have defended against a slew of supply-chain attacks, most notably a Log4J vulnerability discovered in late 2021.

At August’s GovForward FedRAMP Summit, the supply chain was on the minds of at least two panelists: Smolenski and Eric Mill, senior advisor at the Office of Management and Budget, who sees the FedRAMP as an example-setter for supply-chain safeguards like a software bill of materials (SBOM).

“We would expect FedRAMP to be one of the primary consumers and participants in the SBOM ecosystem so that when future issues come up like another Log4J that we’re able to handle this in a more streamlined manner,” Mill told the audience.

Mill expects FedRamp and the cloud ecosystem it fosters to be at the forefront of “zero-trust” practices like enforcing “principles of least privilege,” strong authentication, and encryption.

“These are just things that ultimately for a lot of agencies are going to come from the commercial cloud in a real practical way. We’ll be interested in seeing those things mature in the next couple years,” Mill said.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @BillyHurls on Twitter.

Top insights for IT pros

From cybersecurity and big data to software development and gaming. Our IT Brew newsletter delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.