In December of 2011, FedRAMP was introduced to provide a cost-effective, risk-based approach for the adoption and use of cloud services in the federal government. The idea was to define a set of standardized security requirements for the authorization and ongoing cyber security of cloud services based on different system impact levels (risks) and a “certification program” supported by a large team of independent, third-party assessment firms. Theoretically, at that point, the security experts from the DHS, DOD, and GSA could maintain a list of “approved” Cloud Service Providers.
There are a lot of things to like about FedRAMP, most notably:
- The information security control set it leverages is based on a good and widely used standard (NIST 800-53).
- It could save the federal government as much as $5 Billion annually.
- It provides clear guidance to Cloud Service Providers regarding information security controls.
There are a couple of things that are a bit worrisome about FedRAMP:
- We are 15 months post proclamation – and we still have a ways to go.
- There is a lot of uncertainty over what type of changes to the environment require re-certification.
- Outsourcing IT operations does not mean outsourcing risk – so there needs to be a component of FedRAMP that mandates the outsourcers requirement to govern the outsourcer. If the risk is high enough, this could devolve into a near continuous monitoring proposition which most organizations lack the appetite or resources for.
- It adds another “certification” to a growing number that a Cloud Service Provider may need (e.g., PCI-DSS, SSAE-16, ISO-27001). At what point do they (rightfully) cry– no mas?
- The funding necessary to establish the “independent assessor” program, which is necessary for the program to be effective, is still uncertain.
So what does an agency do if they want to use the cloud in the mean time? Fundamental Vendor Risk Management, understand the risks that keep you awake and night, and seek high quality (preferably third party) evidence that the controls required to mitigate those risks are in place and operating as intended. In a perfect world the vendor will be ISO-27001 certified and your risks will be explicitly considered in the risk assessment. At that point – it’s just a matter of putting the necessary SLA’s and monitoring mechanisms in place to ensure the desired security posture perpetuates over the life of the agreement.