Single standard for cloud-computing services
The Federal Risk and Authorization Management Program, also known as FedRAMP, is adopting a “cloud-first” policy that will standardize the basic security requirements that cloud-computing providers, such as Google and Microsoft, will have to meet before receiving government contracts. Third-party assessment organizations will be hired to verify whether companies meet the basic security requirements.
This change is aimed to improve IT procurement and comes as the government is in the process of transferring computer services, such as e-mails, to cloud-based systems. Technology programs have been shut down in the last months because they have been running over budget and behind schedule, so fixing IT is a priority. The main goal is to build a security framework where the rules and policies are applied consistently across multiple projects.
How will this program work?
This initiative will standardize the security of cloud products and services and accelerate their adoption. The purpose is to set one government-wide cloud security program, meaning that a vendor would not have to repeat the security approval process every time it wants to bid on a cloud-computing contract.
A list with accredited third-party assessment organizations is available for vendors to help them authenticate more than 160 security controls, including spam filter capabilities and encryption standards.
What are the benefits of the program?
The process will reduce the redundancy of multiple agencies evaluating the same cloud product. For companies, the time to sell to the government will be shorter.
- Increases re-use of existing security assessments across agencies.
- Saves significant cost, time and resources.
- Enhances transparency between government and cloud service providers (CSPs).
- Improves the trustworthiness, reliability, consistency, and quality of the Federal security authorization process.
The program is managed by the General Services Administration, as part of the Department of Homeland Security. You can read more about FedRamp at this GSA page: https://www.gsa.gov/portal/category/102371.
If it brings the standards that everyone awaits in cloud computing, it will be a great win, both for CSPs working in the government projects and the entire industry. In time, we will see if this is a good initiative or not. What do you think?
Photo source: https://www.sxc.hu/photo/985078.