Revamping FedRAMP: GSA's cloud security upgrades

GSA's McClure tackles myths about program, lists areas tiger teams are working on

Editor's note: A version of this story was previously published at GCN.com.

Five new tiger teams of representatives from across government are working to improve the Federal Risk Authorization and Management Program (FedRAMP) based on feedback submitted during the public comment process, the General Services Administration’s David McClure told attendees at recent a symposium on high-performance cloud computing in Washington, D.C.

McClure provided a short list of concerns that GSA and government partners are working on to improve FedRAMP and sought to dispel myths about the security accreditation and authorization program designed to vet cloud providers and services. One big myth is that with FedRAMP the government is “blowing up [the Federal Information Security Management Act] and completely redesigning the security approach to the federal government,” McClure said during the symposium sponsored by AFCEA's Bethesda chapter at the Willard InterContinental Hotel.

Instead, FedRAMP’s “focus is to improve the security accreditation process by using an approach that can be vetted and reused across the government,” McClure said. The goal is to implement it once, use it many times and bring some consistency to how this is being done. Hopefully, this also will lower the cost for the security process, he said.

GSA is trying to improve FedRAMP. Out of thousands of comments  submitted, GSA chose these aspects for attention.

1. Too many controls and controls for different risk levels.

The government is working to reduce the number of security controls that will be tested. GSA and others cannot eliminate all controls because many are stringent and necessary to secure government computers. However, the government is trying to differentiate between controls at the low-, medium- and high-risk levels – all of the objectives of FISMA.

2. More guidance on third-party assessors’ independence.

Who assesses the cloud provider? Some service providers pick the organizations that assess them and then provide reports to the government. This is equivalent to someone picking his or her own home improvement inspector whentrying to sell a house, McClure said. There are options such as having government entities do the assessment. The government is exploring a NIST suggestion to come up with a model similar to consumer product testing or the standards health area where there is an accreditation board. This world-class board would have the independence to approve a set of accredited assessors, McClure said.

To read the full version of the article, including the remaining five concerns GSA is addressing, click here.

About the Author

Rutrell Yasin is is a freelance technology writer for GCN.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.