informa
Commentary

Q&A: FedRAMP Director Discusses Cloud Security Innovation

Maria Roat, FedRAMP director, speaks with former Transportation Department CIO Nitin Pradhan on the federal government's approach to security assessment, authorization, and continuous monitoring for cloud products and services.
Does the FedRAMP process work on a first-come, first-served process?

Roat: FedRAMP contacts and assesses the readiness of cloud service providers to complete a FedRAMP assessment as they apply to the FedRAMP program. The JAB prioritizes the review of cloud systems with the objective to assess and authorize cloud systems that can be leveraged government-wide.

When reviewing cloud systems according to this priority, there are two distinct categories of cloud systems: (1) cloud systems with existing Federal agency authority-to-operates (ATOs), and (2) cloud systems without an existing Federal agency ATO. FedRAMP will initially place higher priority with cloud services that have existing ATOs in order to develop lessons learned to provide for rapid maturation of FedRAMP. As FedRAMP matures, FedRAMP will review cloud systems equally from both categories as resources allow.

How is the FedRAMP PMO office organized? What are its resources?

Roat: The FedRAMP PMO is headed by the FedRAMP director and has a FedRAMP manager who assists in managing the program. The PMO is comprised of program support and an ISSO team.

The program support team develops requirements and provides day-to-day support of the program. The ISSOs interface directly with the CSPs and oversee the assessment of each CSP, review the CSP's documentation and oversee the continuous monitoring process for CSPs that have a P-ATO.

The FedRAMP PMO is composed of a mix of government employees and contractors. At this time, the FedRAMP PMO has sufficient resources to support and process applicants.

How is FedRAMP changing the security culture of the agencies?

Roat: FedRAMP provides an example of how a government-wide, standardized security process can work and accelerate the adoption of technology. Cloud service providers that have a P-ATO have been approved by the CIOs of DoD, DHS and GSA, demonstrating how multiple federal agencies can collaborate to improve the security posture of systems used by the government. FedRAMP also promotes the mentality of basing security decisions on risk awareness. Agencies should be aware of their risk tolerances as the guidelines for security and implementing a system, not just compliance with requirements. Finally, no other cloud cyber security program exists on the same scale as FedRAMP. It is a showcase of innovation funded by government that can also be used by the private sector.

Explain why FedRAMP is a model security certification program for all CSPs to consider adopting.

Roat: CSPs that are looking to sell their services to the federal government will need to come through FedRAMP. Under the OMB memo "Security Authorization of Information Systems in Cloud Computing Environments," agencies are required to use FedRAMP for federal agency cloud deployments when acquiring cloud services at the low- and moderate-risk impact levels. Cloud providers can reduce the submission hurdles with new agencies.

FedRAMP can help provide a cost and time savings to CSPs through the reuse of their existing security assessments across agencies in order for an agency to issue an ATO. FedRAMP also provides transparency between government and cloud service providers. It allows CSPs to demonstrate their ability to meet FISMA requirements to agencies procuring cloud services. CSPs that already have an agency ATO using the FedRAMP templates and baselines have a smooth transition to the FedRAMP Provisional Authorization process, as the documentation is readily available for the JAB.

Top 12 Controls for FedRAMP Certification

table

Recommended Reading: