Risk
10/31/2013
11:50 AM
Nitin Pradhan
Nitin Pradhan
Commentary
Connect Directly
Facebook
LinkedIn
Twitter
RSS
E-Mail
100%
0%

Q&A: FedRAMP Director Discusses Cloud Security Innovation

Maria Roat, FedRAMP director, speaks with former Transportation Department CIO Nitin Pradhan on the federal government's approach to security assessment, authorization, and continuous monitoring for cloud products and services.

Does the FedRAMP process work on a first-come, first-served process?

Roat: FedRAMP contacts and assesses the readiness of cloud service providers to complete a FedRAMP assessment as they apply to the FedRAMP program. The JAB prioritizes the review of cloud systems with the objective to assess and authorize cloud systems that can be leveraged government-wide.

When reviewing cloud systems according to this priority, there are two distinct categories of cloud systems: (1) cloud systems with existing Federal agency authority-to-operates (ATOs), and (2) cloud systems without an existing Federal agency ATO. FedRAMP will initially place higher priority with cloud services that have existing ATOs in order to develop lessons learned to provide for rapid maturation of FedRAMP. As FedRAMP matures, FedRAMP will review cloud systems equally from both categories as resources allow.

How is the FedRAMP PMO office organized? What are its resources?

Roat: The FedRAMP PMO is headed by the FedRAMP director and has a FedRAMP manager who assists in managing the program. The PMO is comprised of program support and an ISSO team.

The program support team develops requirements and provides day-to-day support of the program. The ISSOs interface directly with the CSPs and oversee the assessment of each CSP, review the CSP's documentation and oversee the continuous monitoring process for CSPs that have a P-ATO.

The FedRAMP PMO is composed of a mix of government employees and contractors. At this time, the FedRAMP PMO has sufficient resources to support and process applicants.

How is FedRAMP changing the security culture of the agencies?

Roat: FedRAMP provides an example of how a government-wide, standardized security process can work and accelerate the adoption of technology. Cloud service providers that have a P-ATO have been approved by the CIOs of DoD, DHS and GSA, demonstrating how multiple federal agencies can collaborate to improve the security posture of systems used by the government. FedRAMP also promotes the mentality of basing security decisions on risk awareness. Agencies should be aware of their risk tolerances as the guidelines for security and implementing a system, not just compliance with requirements. Finally, no other cloud cyber security program exists on the same scale as FedRAMP. It is a showcase of innovation funded by government that can also be used by the private sector.

Explain why FedRAMP is a model security certification program for all CSPs to consider adopting.

Roat: CSPs that are looking to sell their services to the federal government will need to come through FedRAMP. Under the OMB memo "Security Authorization of Information Systems in Cloud Computing Environments," agencies are required to use FedRAMP for federal agency cloud deployments when acquiring cloud services at the low- and moderate-risk impact levels. Cloud providers can reduce the submission hurdles with new agencies.

FedRAMP can help provide a cost and time savings to CSPs through the reuse of their existing security assessments across agencies in order for an agency to issue an ATO. FedRAMP also provides transparency between government and cloud service providers. It allows CSPs to demonstrate their ability to meet FISMA requirements to agencies procuring cloud services. CSPs that already have an agency ATO using the FedRAMP templates and baselines have a smooth transition to the FedRAMP Provisional Authorization process, as the documentation is readily available for the JAB.

Top 12 Controls for FedRAMP Certification

table

Previous
3 of 3
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WKash
50%
50%
WKash,
User Rank: Apprentice
1/21/2014 | 8:35:33 PM
FedRAMP is changing the way industry looks at cloud security
Based on our latest report, it's clear FedRAMP is making an impact on cloud service providers. Read:Cloud Providers Align With FedRAMP Security Standards

 
WKash
50%
50%
WKash,
User Rank: Apprentice
11/1/2013 | 10:07:37 PM
re: Q&A: FedRAMP Director Discusses Cloud Security Innovation
One thing not said here is that agencies can also win approval for P-ATO for selected proposals separate from the JAB. The JAB makes it easier for many agencies to adopt an approved cloud service.
WKash
50%
50%
WKash,
User Rank: Apprentice
10/31/2013 | 6:01:41 PM
re: Q&A: FedRAMP Director Discusses Cloud Security Innovation
For anyone trying to understand what FedRAMP is, why it matters, and how it's changing the way security authorizations are getting done in #GovIT, this interview w/ @USGSA's director Maria Roat is a great primer.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.