Risk
10/31/2013
11:50 AM
Nitin Pradhan
Nitin Pradhan
Commentary
Connect Directly
Facebook
LinkedIn
Twitter
RSS
E-Mail
100%
0%
Repost This

Q&A: FedRAMP Director Discusses Cloud Security Innovation

Maria Roat, FedRAMP director, speaks with former Transportation Department CIO Nitin Pradhan on the federal government's approach to security assessment, authorization, and continuous monitoring for cloud products and services.

Does the FedRAMP process work on a first-come, first-served process?

Roat: FedRAMP contacts and assesses the readiness of cloud service providers to complete a FedRAMP assessment as they apply to the FedRAMP program. The JAB prioritizes the review of cloud systems with the objective to assess and authorize cloud systems that can be leveraged government-wide.

When reviewing cloud systems according to this priority, there are two distinct categories of cloud systems: (1) cloud systems with existing Federal agency authority-to-operates (ATOs), and (2) cloud systems without an existing Federal agency ATO. FedRAMP will initially place higher priority with cloud services that have existing ATOs in order to develop lessons learned to provide for rapid maturation of FedRAMP. As FedRAMP matures, FedRAMP will review cloud systems equally from both categories as resources allow.

How is the FedRAMP PMO office organized? What are its resources?

Roat: The FedRAMP PMO is headed by the FedRAMP director and has a FedRAMP manager who assists in managing the program. The PMO is comprised of program support and an ISSO team.

The program support team develops requirements and provides day-to-day support of the program. The ISSOs interface directly with the CSPs and oversee the assessment of each CSP, review the CSP's documentation and oversee the continuous monitoring process for CSPs that have a P-ATO.

The FedRAMP PMO is composed of a mix of government employees and contractors. At this time, the FedRAMP PMO has sufficient resources to support and process applicants.

How is FedRAMP changing the security culture of the agencies?

Roat: FedRAMP provides an example of how a government-wide, standardized security process can work and accelerate the adoption of technology. Cloud service providers that have a P-ATO have been approved by the CIOs of DoD, DHS and GSA, demonstrating how multiple federal agencies can collaborate to improve the security posture of systems used by the government. FedRAMP also promotes the mentality of basing security decisions on risk awareness. Agencies should be aware of their risk tolerances as the guidelines for security and implementing a system, not just compliance with requirements. Finally, no other cloud cyber security program exists on the same scale as FedRAMP. It is a showcase of innovation funded by government that can also be used by the private sector.

Explain why FedRAMP is a model security certification program for all CSPs to consider adopting.

Roat: CSPs that are looking to sell their services to the federal government will need to come through FedRAMP. Under the OMB memo "Security Authorization of Information Systems in Cloud Computing Environments," agencies are required to use FedRAMP for federal agency cloud deployments when acquiring cloud services at the low- and moderate-risk impact levels. Cloud providers can reduce the submission hurdles with new agencies.

FedRAMP can help provide a cost and time savings to CSPs through the reuse of their existing security assessments across agencies in order for an agency to issue an ATO. FedRAMP also provides transparency between government and cloud service providers. It allows CSPs to demonstrate their ability to meet FISMA requirements to agencies procuring cloud services. CSPs that already have an agency ATO using the FedRAMP templates and baselines have a smooth transition to the FedRAMP Provisional Authorization process, as the documentation is readily available for the JAB.

Top 12 Controls for FedRAMP Certification

table

Previous
3 of 3
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WKash
50%
50%
WKash,
User Rank: Apprentice
1/21/2014 | 8:35:33 PM
FedRAMP is changing the way industry looks at cloud security
Based on our latest report, it's clear FedRAMP is making an impact on cloud service providers. Read:Cloud Providers Align With FedRAMP Security Standards

 
WKash
50%
50%
WKash,
User Rank: Apprentice
11/1/2013 | 10:07:37 PM
re: Q&A: FedRAMP Director Discusses Cloud Security Innovation
One thing not said here is that agencies can also win approval for P-ATO for selected proposals separate from the JAB. The JAB makes it easier for many agencies to adopt an approved cloud service.
WKash
50%
50%
WKash,
User Rank: Apprentice
10/31/2013 | 6:01:41 PM
re: Q&A: FedRAMP Director Discusses Cloud Security Innovation
For anyone trying to understand what FedRAMP is, why it matters, and how it's changing the way security authorizations are getting done in #GovIT, this interview w/ @USGSA's director Maria Roat is a great primer.
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: LOL.
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6212
Published: 2014-04-19
Unspecified vulnerability in HP Database and Middleware Automation 10.0, 10.01, 10.10, and 10.20 before 10.20.100 allows remote authenticated users to obtain sensitive information via unknown vectors.

CVE-2013-6213
Published: 2014-04-19
Unspecified vulnerability in Virtual User Generator in HP LoadRunner before 11.52 Patch 1 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1833.

CVE-2013-6214
Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 9.05, 10.01, and 10.10 allows remote authenticated users to obtain sensitive information via unknown vectors, aka ZDI-CAN-2042.

CVE-2013-6215
Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 10.01 and 10.10 allows remote authenticated users to execute arbitrary code via unknown vectors, aka ZDI-CAN-1977.

CVE-2013-6218
Published: 2014-04-19
Unspecified vulnerability in HP Network Node Manager i (NNMi) 9.0x, 9.1x, and 9.2x allows remote attackers to execute arbitrary code via unknown vectors.

Best of the Web