Federal Risk Management and Authorization Program (FedRAMP) is the current administration's attempt to establish security standards for cloud computing for cloud service providers (CSP ).
FedRAMP's primary goal is to streamline the authorization process for government agencies to work with public and private cloud hosting companies. This follows certain provisions of the National Defense Authorization Act of 2012 that require the Department of Defense to migrate data to private sector cloud solutions. This is mainly due to evaluations that confirm that the private sector is better able to provide equal or greater security at a fraction of the cost.
This is exciting news within the cloud hosting community, although there are concerns. How will FedRAMP achieve what it offers? As of January 6, the FedRAMP Joint Authorization Board approved the federal agency's review bases. What this means for CSPs is that once approved, there is no need to reapply the process. Monitoring baselines are universal, so working with multiple government agencies should, in theory, be easier. If a particular agency has additional security needs, communications service providers will not be required to overcome the same hurdles, as this groundwork has already been established. Of course, this is the best of times, because, with any bureaucracy, the possibility of getting bogged down in bureaucracy is always on the horizon.
This is a major concern as each state and federal agency will use FedRAMP as a starting point, and may decide to implement a multitude of additional security requirements if desired. This could make FedRAMP compliance irrelevant. In fairness to these agencies, not all of them will fit perfectly into what FedRAMP will offer as cloud security standard. From a provider's perspective, there are many questions. Most CSPs wonder how to make legislation and compliance work effectively for the business. Yes, it is wonderful that the federal government believes that private sector PSCs can provide greater security at a lower cost. Before we congratulate everyone, we must take a look at how the computer industry standardization has been done in the past.
The IT solutions that are changing the landscape have outpaced the government's ability to legislate in a timely manner for more than a decade. These changes are happening faster and faster as the ability to create new recruiting programs continues to evolve at the same rate. Reverse auctions and seat management, for example, have only done time and debt on both sides. There is really nothing to suggest that FedRAMP will be any different than the refreshing idea of "do it once, use it many times".
The concept of establishing universal cloud-based security standards is a fundamentally valid concept. Working with government agencies will certainly attract many DSPs. Businesses ready to migrate to cloud-based solutions are likely to feel comfortable knowing that there is a universal security standard. Unfortunately, it remains to be seen whether the government can keep up with every new development in the IT world without delaying it in the legislative process.
Top comments (0)