What FedRAMP Means for Agencies and Cloud Providers
What is FedRAMP, and Why Does it Matter?
If you’re in IT, particularly in the federal space, then you’ve heard of FedRAMP. What is it, and what are the implications to federal agencies?
Recently, cloud computing has become far more widely used throughout the federal government. Though hesitant at first to keep pace with the adoption rate of the enterprise, federal agencies are transitioning from traditional IT infrastructures to the cloud with increasing frequency. Sights are set on reducing the upfront cost of infrastructure, improving scalability, and improving ease of maintenance and reliability of overall systems. However, the security implications of moving toward cloud platforms aren’t as black and white.
Here’s where FedRAMP comes in. Essentially, it’s a standardized review process for cloud computing platforms and services. The goal, as explained by FedRAMP, is to simplify security in the age of digitalization by providing a consistent methodology for cloud security when cloud computing platforms and services are used by or within federal agencies. It contains a set standard of roles, security controls and an overall standardized review process of cloud environments and their respective platforms, which allows federal agencies to more easily seek out validated cloud resources to satisfy their specific needs. These same rules apply to an agency’s home grown cloud resources as well, should they decide to build their own cloud infrastructure and services vs buying from a qualified cloud services provider. FedRAMP compliant providers opt for undergoing the review process to make themselves available to public sector customers. However, completing the FedRAMP process requires a sponsoring agency which intends on using that providers cloud resources.
FedRAMP allows agencies to identify a cloud service provider quickly and as one of its requirements, enforces continuous monitoring of the cloud computing platform and services. Agencies are better positioned to understand and assume the risk of using the cloud environment they’re entering, as well as being kept informed of potential changes to the platform, thus helping mitigate new risks that may be introduced later.
…But It’s Not Just About Infrastructure or the CSPs.
Another factor to consider for any federal agency moving workloads to the cloud: IaaS is one thing, and it’s what most people think of when it comes to cloud, but there are other cloud assets that are also subject to FedRAMP. Microsoft’s Office 365 and Google’s G-Suite are prime examples; these tools have to be as compliant as infrastructure does, and they are. Both of these Software as a Service offerings are indeed FedRAMP compliant and offer a way for federal agencies to utilize cloud resources right away.
It’s also important to note that while FedRAMP reviews CSPs for compliance, federal agencies themselves are responsible for assuming and ultimately mitigating risk as well as obtaining FedRAMP authorization. When applied properly, it’s estimated that the framework saves 30-40% of government authorization costs by means of reducing the time and resources needed to execute security assessments.
If you’re in the beginning stages of moving to the cloud, you should start by clearly defining mission needs and requirements. Based on what you’re looking to achieve, begin researching potential providers, particularly those within the FedRAMP marketplace who have already achieved compliance with other sponsors.
Continuous Monitoring with Splunk and Other Solutions to Help You with FedRAMP
As mentioned above, part of the FedRAMP accreditation process requires continuous monitoring of a set of security controls defined by NIST. To ease this burden, Splunk has released multiple apps to help with continuous monitoring and becoming FedRAMP compliant, including an app plugin that helps platform providers execute risk assessment of their cloud platform.
Additionally, enlisting the support of seasoned engineering consultants to help with your FedRAMP certification in an advisory capacity is also an option worth considering. In addition, there are many tools and products available for addressing security and documentation requirements.
Do you need more information on how FedRAMP applies to you? August Schell can assist with continuous monitoring and risk management by custom tailoring a solution set that will meet your FedRAMP requirements. We’re also here to answer your FedRAMP questions. Reach out to an August Schell specialist now, or call us at (301)-838-9470.