New Standards on Cloud Security with FedRAMP
The original of this post was featured on Carahsoft.com.
The explosion of cloud technologies in the early 2010s was followed by a subsequent explosion of cybersecurity breaches that caused many government organizations to rethink transitioning to the cloud. To address these concerns, a government-wide program, FedRAMP, was launched in 2012, to produce a set of cloud security standards for all federal agencies to follow. These standards have helped government and technology providers, including GovDelivery, to raise the bar on cloud security.
FedRAMP itself is a maturation of other standards from years ago. Its strict regulations have helped eliminate some of the remaining apprehension agencies may have about a cloud transition; the program provides a standard against which all cloud products and services adopted by agencies undergo a stringent security assessment, authorization, and continuous monitoring. FedRAMP has made tasks such as keeping all network logs in one place, putting two-factor authentication on every device, and encrypting data at rest the standard.
But FedRAMP goes a step further than just rules and regulations; it’s a toolkit for any agency that’s doing cloud computing to make sure they’re secure and to guarantee that they’re using the cloud in the most effective ways possible. FedRAMP has matured significantly since its creation several years ago – most importantly, the program has evolved to be agile and meet increasing security needs in the following ways:
FedRAMP is more than a set of controls
There’s a common misconception among government cloud users that cloud security is just a set of controls: Is your data encrypted? Do you have keys on critical server racks? However, it’s much more complex than that. Cloud security is a whole set of policies and procedures that agencies need to follow; organizations must adopt those controls but then also implement processes within the organization that dictate how to deal with them.
For example, agencies and companies should ask:
- How do we deal with incidents?
- How do we report these incidents?
- What’s our relationship with the partners we work with?
- Once those questions are answered, agencies and industry partners are better equipped to deal with and respond to incidents.
FedRAMP’s demand to adapt keeps cybersecurity strategies agile
Cyber threats evolve daily and are becoming more unique, targeted, and specialized. All FedRAMP-approved platforms are required to use a third-party scanning system on more than a monthly basis that looks for the latest threats and tests responses. This requirement ensures that an organization’s cloud security posture is flexible enough to quickly detect and adapt to better protect against a future attack. For example, a scan might resist threats one week but fail the test the following week based on new threat vectors. Cyber threats adapt quickly, and platforms must evolve rapidly.
Over the next few years, as the threat landscape continues to change, we’ll likely see new, more advanced FedRAMP standards. There will be more of an assessment of the types of data held within the cloud, such as HIPAA compliant information. There may even be a sort of bifurcation where different types of applications get approved to hold various classes of data; those classes may get more sophisticated over time as cloud security matures. Even more, we may see other standards that we need to adhere to as security changes, such as global initiatives and international agreements.
FedRAMP is transparent
Any agency can access information about a certified cloud vendor using the FedRAMP.gov site. This allows agencies to spot-check every FedRAMP provider and look into the unique security mechanisms of every approved vendor. Interested parties can log on and find information about GovDelivery – our controls, reports, who we send incidents to – and even look at our incident history. The ability to spot-check and investigate a pre-approved solution before adopting it helps to centralize an agency’s inspection process as well.
FedRAMP’s high standards make every agency’s cloud strategy stronger. By coupling security, transparency, and reporting activity information about cloud usage and utilization to business owners, stakeholders are empowered to move to the cloud without the worry of security.
Ideally, the entire cloud computing industry will seek FedRAMP approval over the next few years. At GovDelivery, we believe cloud computing can only succeed, especially in government, if it is held to the highest standards.
For more information on how GovDelivery – the first digital communications system to receive FedRAMP approval – approaches cloud security, listen to this Innovation in Government Report or download this resource.