Revamping FedRAMP: GSA's cloud security upgrades
Clearing up misconceptions about the FedRAMP cloud security program with GSA's David McClure; also, what GSA is doing to improve the program.
Editor's note: A version of this story was previously published at GCN.com.
Five new tiger teams of representatives from across government are working to improve the Federal Risk Authorization and Management Program (FedRAMP) based on feedback submitted during the public comment process, the General Services Administration’s David McClure told attendees at recent a symposium on high-performance cloud computing in Washington, D.C.
McClure provided a short list of concerns that GSA and government partners are working on to improve FedRAMP and sought to dispel myths about the security accreditation and authorization program designed to vet cloud providers and services. One big myth is that with FedRAMP the government is “blowing up [the Federal Information Security Management Act] and completely redesigning the security approach to the federal government,” McClure said during the symposium sponsored by AFCEA's Bethesda chapter at the Willard InterContinental Hotel.
Instead, FedRAMP’s “focus is to improve the security accreditation process by using an approach that can be vetted and reused across the government,” McClure said. The goal is to implement it once, use it many times and bring some consistency to how this is being done. Hopefully, this also will lower the cost for the security process, he said.
GSA is trying to improve FedRAMP. Out of thousands of comments submitted, GSA chose these aspects for attention.
1. Too many controls and controls for different risk levels.
The government is working to reduce the number of security controls that will be tested. GSA and others cannot eliminate all controls because many are stringent and necessary to secure government computers. However, the government is trying to differentiate between controls at the low-, medium- and high-risk levels – all of the objectives of FISMA.
2. More guidance on third-party assessors’ independence.
Who assesses the cloud provider? Some service providers pick the organizations that assess them and then provide reports to the government. This is equivalent to someone picking his or her own home improvement inspector whentrying to sell a house, McClure said. There are options such as having government entities do the assessment. The government is exploring a NIST suggestion to come up with a model similar to consumer product testing or the standards health area where there is an accreditation board. This world-class board would have the independence to approve a set of accredited assessors, McClure said.
To read the full version of the article, including the remaining five concerns GSA is addressing, click here.